RES fixes

yadc/bp/manage.py

@@ -1,4 +1,4 @@
-from flask import (Blueprint, abort, current_app, flash, redirect,
+from flask import (Blueprint, current_app, flash, redirect,
                    render_template, request, send_from_directory, url_for)
 from flask_login import login_required, current_user
 from yadc.forms import UserForm, PostForm, TagForm, CommentForm
@@ -28,9 +28,11 @@ def manage_users(page):
 @bp.route('/posts', defaults={'page': 1})
 @bp.route('/posts/<int:page>')
 @login_required
-@moderator_required
 def manage_posts(page):
+    if current_user.is_moderator:
         posts = Post.query.order_by(Post.id.desc()).paginate(page, current_app.config.get('MANAGE_PER_PAGE'))
+    else:
+        posts = Post.query.filter_by(author=current_user).order_by(Post.id.desc()).paginate(page, current_app.config.get('MANAGE_PER_PAGE'))
 
     for post in posts.items:
         post.editform = PostForm(
@@ -78,6 +80,13 @@ def modify_user():
         else:
             el = User.query.filter_by(id=form.id.data).first()
             if form.delete.data:
+                if el.is_current:
+                    flash("You can't just delete yourself.")
+                    return redirect(url_for('.manage_users'))
+                elif el.is_admin:
+                    flash("You can't just delete admins.")
+                    return redirect(url_for('.manage_users'))
+
                 db.session.delete(el)
                 db.session.commit()
                 flash('{} deleted.'.format(str(el)))
@@ -97,7 +106,6 @@ def modify_user():
 
 @bp.route('/modify_post', methods=['POST'])
 @login_required
-@moderator_required
 def modify_post():
     form = PostForm(request.form)
     # flash(str(request.form))
@@ -106,6 +114,9 @@ def modify_post():
             pass
         else:
             el = Post.query.filter_by(id=form.id.data).first()
+            if not current_user.is_moderator or not el.author.is_current:
+                flash("You don't have sufficient rights to do this.")
+                return redirect(url_for('main.index'))
             if form.delete.data:
                 db.session.delete(el)
                 db.session.commit()
@@ -165,11 +176,12 @@ def modify_comment():
 
             db.session.commit()
             flash('Successfully submitted {}'.format(str(el)))
-            return redirect(url_for('.post_show', id=form.post_id.data))
+            return redirect(url_for('post.post_show', id=form.post_id.data))
         else:
             el = Comment.query.filter_by(id=form.id.data).first()
-            if not current_user.is_moderator or not el.is_current:
+            if not current_user.is_moderator or not el.user.is_current:
-                return abort(403)
+                flash("You don't have sufficient rights to do this.")
+                return redirect(url_for('main.index'))
             if form.delete.data:
                 db.session.delete(el)
                 db.session.commit()
@@ -180,6 +192,6 @@ def modify_comment():
                 db.session.commit()
                 flash('Changes to {} have been applied.'.format(str(el)))
 
-            return redirect(url_for('.post_show', id=el.post_id))
+            return redirect(url_for('post.post_show', id=el.post_id))
 
     return redirect(url_for('main.posts'))

yadc/bp/post.py

@@ -121,7 +121,7 @@ def tag_autocomplete():
 # A TRY TO MAKE A DANBOORU COMPATIBLE API
 # import json
 @bp.route('/index.json')
-def post_index():
+def posts_api():
     # return jsonify(json.load(open('index.json', 'r')))
     # return jsonify(json.load(open('test.json', 'r')))
 

yadc/models.py

@@ -5,7 +5,7 @@ import os
 from datetime import datetime, timezone
 from functools import wraps
 
-from flask import current_app, url_for, abort
+from flask import current_app, url_for, flash, redirect
 from flask_login import UserMixin, login_user, logout_user, current_user
 from PIL import Image
 from sqlalchemy_utc import UtcDateTime, utcnow
@@ -126,8 +126,9 @@ def moderator_required(func):
     @wraps(func)
     def dec_view(*args, **kwargs):
         if current_user:
-            if not current_user.is_moderator or not current_user.is_admin:
+            if not current_user.is_moderator and not current_user.is_admin:
-                return abort(403)
+                flash("You don't have sufficient rights to do this.")
+                return redirect(url_for('main.index'))
         return func(*args, **kwargs)
     return dec_view
 
@@ -136,7 +137,8 @@ def admin_required(func):
     def dec_view(*args, **kwargs):
         if current_user:
             if not current_user.is_admin:
-                return abort(403)
+                flash("You don't have sufficient rights to do this.")
+                return redirect(url_for('main.index'))
         return func(*args, **kwargs)
     return dec_view
 

yadc/templates/post/post.html

@@ -77,13 +77,14 @@
             
             {% if not comment.deleted %}
 
-            <form class="comment_editform editingable" action="{{ url_for('post.comment') }}" method="post">
+            <form class="comment_editform editingable" action="{{ url_for('manage.modify_comment') }}" method="post">
                 {{ comment.editform.csrf_token }}
                 {{ comment.editform.id() }}
                 <p class="comment_content notedit">{{ comment.content }}</p>
 
                 {{ comment.editform.content(class="edit") }}
                 {{ comment.editform.edit(class="edit") }}
+                {{ comment.editform.delete(class="edit") }}
             </form>
             
             {% else %}
@@ -102,7 +103,7 @@
     {% if current_user.is_authenticated %}
     <div class="form">
         <h3>Reply</h3>
-        <form action="{{ url_for('post.comment') }}" method="post">
+        <form action="{{ url_for('manage.modify_comment') }}" method="post">
             {{ comment_form.csrf_token }}
             {{ comment_form.post_id() }}
             <div>