commit 46f6573422add1440b7481d9d8c7b9ac2a5b6557
parent 56301540c3ee35f9fd6b0026079d92365518248c
Author: parazyd <parazyd@dyne.org>
Date: Thu, 24 Jan 2019 11:48:31 +0100
Allow users to edit their own story.
Diffstat:
3 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/diaspora.py b/diaspora.py
@@ -276,13 +276,14 @@ def edit():
"""
Route for editing and redacting.
"""
- if not current_user.is_admin:
- return render_template('fail.html', msg='Unauthorized.')
-
if request.method != 'POST':
story = get_story(request.args.get('id'))
if story:
- return render_template('edit.html', story=story)
+ if current_user.is_admin or current_user.username == story['email']:
+ return render_template('edit.html', story=story)
+ else:
+ return render_template('fail.html', msg='Unauthorized.')
+
return render_template('fail.html', msg='No story with this story id.')
vals = [
@@ -294,9 +295,14 @@ def edit():
('story', request.form.get('Story', 'foo')),
('abstract', request.form.get('Abstract', 'foo')),
]
+
if request.form.get('Id'):
- sql_update_row_where(vals, 'id', request.form.get('Id'))
- return render_template('success.html', msg='Story redacted!')
+ story = get_story(request.form.get('Id'))
+ if current_user.is_admin or current_user.username == story['email']:
+ sql_update_row_where(vals, 'id', request.form.get('Id'))
+ return render_template('success.html', msg='Story redacted!')
+
+ return render_template('fail.html', msg='Redaction failed.')
@app.route('/view')
diff --git a/templates/edit.html b/templates/edit.html
@@ -20,6 +20,7 @@
<main role="main" class="container">
+ {% if current_user.is_admin %}
<p>
<button type="button" class="btn btn-outline-danger" data-toggle="modal" data-target="#deleteModal">
Delete this story
@@ -45,10 +46,11 @@
</div>
</div>
</div>
+ {% endif %}
<form action="/edit" method="POST" id="storyform">
<div class="form-group">
- <input type="text" name="Id" value="{{ story['id'] }}" style="display: none;">
+ <input type="hidden" name="Id" value="{{ story['id'] }}">
<p class="lead">Name:<br>
<input type="text" class="form-control" name="Name" required value="{{ story['name'] }}">
@@ -61,7 +63,6 @@
<input type="text" class="form-control" name="EmbarkOther" id="embarkother" style="display: none;" placeholder="Type country here">
</p>
-
<p class="lead">Country of disembarkment:<br>
<select name="Disembark" class="form-control" form="storyform" onchange="countryCheck(this, 'disembarkother');" selected="{{ story['disembark'] }}">
<option value="{{ story['disembark'] }}">{{ story['disembarkname'] }}</option>
@@ -73,9 +74,11 @@
<input type="text" class="form-control" name="City" value="{{ story['city'] }}">
</p>
+ {% if current_user.is_admin %}
<p class="lead">Email:<br>
<input type="email" class="form-control" name="Email" value="{{ story['email'] }}">
</p>
+ {% endif %}
<p class="lead">Story abstract:<br>
<textarea name="Abstract" class="form-control" form="storyform">{{ story['abstract'] }}</textarea>
diff --git a/templates/view.html b/templates/view.html
@@ -18,11 +18,13 @@
{% endif %}
</p>
- {% if current_user.is_admin %}
+ {% if current_user.is_admin or current_user.username == story['email'] %}
<a href="/edit?id={{ story['id'] }}" class="btn btn-sm btn-outline-secondary">Edit</a>
+ {% endif %}
+ {% if current_user.is_admin %}
<a href="/dashboard?hideid={{ story['id'] }}" class="btn btn-sm btn-outline-secondary">Hide</a>
- <hr>
{% endif %}
+ <hr>
{{ story['story']|safe }}