generic has_permission decorator, other things, etc. it is likely not functional presently, but I am done for the day

author: citrons <citrons> 2021-08-18 06:13:29 +0000
committer: citrons <citrons> 2021-08-18 06:13:29 +0000
commit: e27cedd558e50f64571610e2c03c6db189fff446 (patch)
tree: f47c2c727abf4fad6b70d3da04438ea649813df4
parent: c49955a06909d2dd081bc82131fe8e1450055ee0 (diff)
4 files changed, 58 insertions, 22 deletions
diff --git a/apioforum/forum.py b/apioforum/forum.py
index badbd14..6d3f5cf 100644
--- a/apioforum/forum.py
+++ b/apioforum/forum.py
@@ -22,24 +22,35 @@ class Forum(DbWrapper):
     primary_key = "id"
     references = {"parent", Forum}
 
+    def has_permission(self, user, permission, login_required=True):
+        return(has_permission(self._key, str(user), permission, login_required))
+
+    def has_bureaucrat(self, user):
+        return(is_bureaucraft(self._key, str(user)))
+
+    def get_avail_tags(self):
+        db = get_db()
+        return Tag.query_some("""
+            WITH RECURSIVE fs AS
+                    (SELECT * FROM forums WHERE id = ?
+                     UNION ALL
+                     SELECT forums.* FROM forums, fs WHERE fs.parent=forums.id)
+            SELECT * FROM tags
+            WHERE tags.forum in (SELECT id FROM fs)
+            ORDER BY id;    	
+            """,(self,))
+
+    def get_forum(self):
+        return self
+
+class Tag(DbWrapper):
+    table = "tags"
+    references = {"forum": Forum}
 
 @bp.route("/")
 def not_actual_index():
     return redirect("/1")
 
-def get_avail_tags(forum_id):
-    db = get_db()
-    tags = db.execute("""
-    	WITH RECURSIVE fs AS
-    		(SELECT * FROM forums WHERE id = ?
-    		 UNION ALL
-    		 SELECT forums.* FROM forums, fs WHERE fs.parent=forums.id)
-    	SELECT * FROM tags
-    	WHERE tags.forum in (SELECT id FROM fs)
-    	ORDER BY id;    	
-    	""",(forum_id,)).fetchall()
-    return tags 
-
 def forum_path(forum_id):
     db = get_db()
     ancestors = db.execute("""
diff --git a/apioforum/roles.py b/apioforum/roles.py
index aa1d239..0e3c4d3 100644
--- a/apioforum/roles.py
+++ b/apioforum/roles.py
@@ -95,3 +95,28 @@ def has_permission(forum_id, username, permission, login_required=True):
 def is_bureaucrat(forum_id, user):
     if user == None: return False
     return get_user_role(forum_id, user) == "bureaucrat"
+
+# ^ the above could perhaps be refactored to use the new DB wrappers, but I am
+# not focusing on it right now
+
+# decorators for paths that require certain permissions
+# the path must accept an object implementing get_forum
+def requires_permission(*a, **k):
+    def decorator(f):
+        @functools.wraps(f)
+        def wrapper(obj, *args, **kwargs):
+            if not obj.get_forum().has_permission(g.user, *a, **k):
+                abort(403)
+            return f(obj, *args, **kwargs)
+        return wrapper
+    return decorator
+
+def requires_bureaucrat(f):
+    @functools.wraps(f)
+    @requires_permission("p_view_forum")
+    def wrapper(obj, *args, **kwargs):
+        if not obj.get_forum().is_bureaucrat(g.user):
+            abort(403)
+        return f(forum, *args, **kwargs)
+    return wrapper
+
diff --git a/apioforum/thread.py b/apioforum/thread.py
index d0d7e83..3311c4e 100644
--- a/apioforum/thread.py
+++ b/apioforum/thread.py
@@ -7,8 +7,8 @@ from flask import (
     url_for, flash, jsonify
 )
 from .db import get_db, DbWrapper
-from .roles import has_permission
-from .forum import get_avail_tags, Forum
+from .roles import has_permission, requires_permission
+from .forum import Forum, Tag
 from .user import User
 
 bp = Blueprint("thread", __name__, url_prefix="/thread")
@@ -45,10 +45,6 @@ class Vote(DbWrapper):
     table = "votes"
     references = {"poll": Poll, "user": User}
 
-class Tag(DbWrapper):
-    table = "tags"
-    references = {"forum": Forum}
-
 class Thread(DbWrapper):
     table = "threads"
     references = {"forum": Forum, "poll": Poll}
@@ -67,6 +63,9 @@ class Thread(DbWrapper):
             ORDER BY tags.id
             """,(self,))
 
+    def get_forum(self):
+        return self.forum
+
 class Post(DbWrapper):
     table = "posts"
     references = {"thread": Thread, "author": User, "vote": Vote}
@@ -76,10 +75,9 @@ def post_jump(thread_id, post_id):
     return url_for("thread.view_thread",thread_id=thread_id)+"#post_"+str(post_id)
 
 @bp.route("/<db(Thread):thread>")
+@requires_permission("p_view_threads")
 def view_thread(thread):
     db = get_db()
-    if not has_permission(thread['forum'], g.user, "p_view_threads", False):
-        abort(403)
     posts = thread.get_posts()
     tags = thread.get_tags()
 
@@ -100,7 +98,6 @@ def view_thread(thread):
         posts=posts,
         thread=thread,
         tags=tags,
-        poll=poll,
         has_voted=has_voted,
     )
 
diff --git a/apioforum/user.py b/apioforum/user.py
index b92d8b3..3f19a6f 100644
--- a/apioforum/user.py
+++ b/apioforum/user.py
@@ -16,6 +16,9 @@ class User(DbWrapper):
     def set_password(self, password):
         self.password = generate_password_hash(password)
 
+    def __str__(self):
+        return self._key
+
 
 @bp.route("/<username>")
 def view_user(username):
author	citrons <citrons>	2021-08-18 06:13:29 +0000
committer	citrons <citrons>	2021-08-18 06:13:29 +0000
commit	e27cedd558e50f64571610e2c03c6db189fff446 (patch)
tree	f47c2c727abf4fad6b70d3da04438ea649813df4
parent	c49955a06909d2dd081bc82131fe8e1450055ee0 (diff)