From 6770ab7ec5b3956fa9920344c1777b30dd0d3231 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ku=C5=BE=C3=ADlek?= Date: Mon, 9 Mar 2020 15:44:48 +0100 Subject: [PATCH] RES fixes --- yadc/bp/manage.py | 28 ++++++++++++++++++++-------- yadc/bp/post.py | 2 +- yadc/models.py | 10 ++++++---- yadc/templates/post/post.html | 5 +++-- 4 files changed, 30 insertions(+), 15 deletions(-) diff --git a/yadc/bp/manage.py b/yadc/bp/manage.py index 8233c4b..b1322f8 100644 --- a/yadc/bp/manage.py +++ b/yadc/bp/manage.py @@ -1,4 +1,4 @@ -from flask import (Blueprint, abort, current_app, flash, redirect, +from flask import (Blueprint, current_app, flash, redirect, render_template, request, send_from_directory, url_for) from flask_login import login_required, current_user from yadc.forms import UserForm, PostForm, TagForm, CommentForm @@ -28,9 +28,11 @@ def manage_users(page): @bp.route('/posts', defaults={'page': 1}) @bp.route('/posts/') @login_required -@moderator_required def manage_posts(page): - posts = Post.query.order_by(Post.id.desc()).paginate(page, current_app.config.get('MANAGE_PER_PAGE')) + if current_user.is_moderator: + posts = Post.query.order_by(Post.id.desc()).paginate(page, current_app.config.get('MANAGE_PER_PAGE')) + else: + posts = Post.query.filter_by(author=current_user).order_by(Post.id.desc()).paginate(page, current_app.config.get('MANAGE_PER_PAGE')) for post in posts.items: post.editform = PostForm( @@ -78,6 +80,13 @@ def modify_user(): else: el = User.query.filter_by(id=form.id.data).first() if form.delete.data: + if el.is_current: + flash("You can't just delete yourself.") + return redirect(url_for('.manage_users')) + elif el.is_admin: + flash("You can't just delete admins.") + return redirect(url_for('.manage_users')) + db.session.delete(el) db.session.commit() flash('{} deleted.'.format(str(el))) @@ -97,7 +106,6 @@ def modify_user(): @bp.route('/modify_post', methods=['POST']) @login_required -@moderator_required def modify_post(): form = PostForm(request.form) # flash(str(request.form)) @@ -106,6 +114,9 @@ def modify_post(): pass else: el = Post.query.filter_by(id=form.id.data).first() + if not current_user.is_moderator or not el.author.is_current: + flash("You don't have sufficient rights to do this.") + return redirect(url_for('main.index')) if form.delete.data: db.session.delete(el) db.session.commit() @@ -165,11 +176,12 @@ def modify_comment(): db.session.commit() flash('Successfully submitted {}'.format(str(el))) - return redirect(url_for('.post_show', id=form.post_id.data)) + return redirect(url_for('post.post_show', id=form.post_id.data)) else: el = Comment.query.filter_by(id=form.id.data).first() - if not current_user.is_moderator or not el.is_current: - return abort(403) + if not current_user.is_moderator or not el.user.is_current: + flash("You don't have sufficient rights to do this.") + return redirect(url_for('main.index')) if form.delete.data: db.session.delete(el) db.session.commit() @@ -180,6 +192,6 @@ def modify_comment(): db.session.commit() flash('Changes to {} have been applied.'.format(str(el))) - return redirect(url_for('.post_show', id=el.post_id)) + return redirect(url_for('post.post_show', id=el.post_id)) return redirect(url_for('main.posts')) \ No newline at end of file diff --git a/yadc/bp/post.py b/yadc/bp/post.py index 2fb3f06..01e32fc 100644 --- a/yadc/bp/post.py +++ b/yadc/bp/post.py @@ -121,7 +121,7 @@ def tag_autocomplete(): # A TRY TO MAKE A DANBOORU COMPATIBLE API # import json @bp.route('/index.json') -def post_index(): +def posts_api(): # return jsonify(json.load(open('index.json', 'r'))) # return jsonify(json.load(open('test.json', 'r'))) diff --git a/yadc/models.py b/yadc/models.py index 23d0b2d..e5a58d1 100644 --- a/yadc/models.py +++ b/yadc/models.py @@ -5,7 +5,7 @@ import os from datetime import datetime, timezone from functools import wraps -from flask import current_app, url_for, abort +from flask import current_app, url_for, flash, redirect from flask_login import UserMixin, login_user, logout_user, current_user from PIL import Image from sqlalchemy_utc import UtcDateTime, utcnow @@ -126,8 +126,9 @@ def moderator_required(func): @wraps(func) def dec_view(*args, **kwargs): if current_user: - if not current_user.is_moderator or not current_user.is_admin: - return abort(403) + if not current_user.is_moderator and not current_user.is_admin: + flash("You don't have sufficient rights to do this.") + return redirect(url_for('main.index')) return func(*args, **kwargs) return dec_view @@ -136,7 +137,8 @@ def admin_required(func): def dec_view(*args, **kwargs): if current_user: if not current_user.is_admin: - return abort(403) + flash("You don't have sufficient rights to do this.") + return redirect(url_for('main.index')) return func(*args, **kwargs) return dec_view diff --git a/yadc/templates/post/post.html b/yadc/templates/post/post.html index 98fd3b7..2290560 100644 --- a/yadc/templates/post/post.html +++ b/yadc/templates/post/post.html @@ -77,13 +77,14 @@ {% if not comment.deleted %} -
+ {{ comment.editform.csrf_token }} {{ comment.editform.id() }}

{{ comment.content }}

{{ comment.editform.content(class="edit") }} {{ comment.editform.edit(class="edit") }} + {{ comment.editform.delete(class="edit") }}
{% else %} @@ -102,7 +103,7 @@ {% if current_user.is_authenticated %}

Reply

-
+ {{ comment_form.csrf_token }} {{ comment_form.post_id() }}