"just commit" - ubq

4 files changed, 49 insertions, 14 deletions

diff --git a/apioforum/__init__.py b/apioforum/__init__.py
index 30dd813..7c99c0c 100644
--- a/apioforum/__init__.py
+++ b/apioforum/__init__.py
@@ -48,6 +48,8 @@ def create_app():
         return dict(path_for_next=p)
 
     app.jinja_env.globals.update(forum_path=forum.forum_path)
+    from .roles import has_permission, is_bureaucrat, 
+    app.jinja_env.globals.update(has_permission=has_permission,is_bureaucrat=is_bureaucrat)
 
     from .mdrender import render
     @app.template_filter('md')
diff --git a/apioforum/forum.py b/apioforum/forum.py
index ed7e2b7..5c6f5bf 100644
--- a/apioforum/forum.py
+++ b/apioforum/forum.py
@@ -8,8 +8,7 @@ from flask import (
 
 from .db import get_db
 from .mdrender import render
-from .roles import get_forum_roles
-from .roles import permissions as role_permissions
+from .roles import get_forum_roles,has_permission,is_bureaucrat
 
 from sqlite3 import OperationalError
 import datetime
@@ -32,10 +31,30 @@ def forum_path(forum_id):
     ancestors.reverse()
     return ancestors
 
-@bp.route("/<int:forum_id>")
-def view_forum(forum_id):
+def forum_route(relative_path, **kwargs):
+    def decorator(f):
+        path = "/<int:forum_id>"
+        if relative_path != "":
+            path += "/" + relative_path
+
+        @bp.route(path, **kwargs)
+        def wrapper(forum_id, *args, **kwargs):
+            db = get_db()
+            forum = db.execute("SELECT * FROM forums WHERE id = ?",
+                    (forum_id,)).fetchone()
+            if forum == None:
+                abort(404)
+            return f(forum, *args, **kwargs)
+
+def requires_permission(permission):
+    def decorator(f):
+        def wrapper(forum, *args, **kwargs):
+            if not has_permission(forum['id'], g.user, permission):
+                abort(403)
+
+@forum_route("")
+def view_forum(forum):
     db = get_db()
-    forum = db.execute("SELECT * FROM forums WHERE id = ?",(forum_id,)).fetchone()
     threads = db.execute(
         """SELECT
             threads.id, threads.title, threads.creator, threads.created,
@@ -49,7 +68,7 @@ def view_forum(forum_id):
         INNER JOIN number_of_posts ON number_of_posts.thread = threads.id
         WHERE threads.forum = ?
         ORDER BY threads.updated DESC;
-        """,(forum_id,)).fetchall()
+        """,(forum['id'],)).fetchall()
     thread_tags = {}
     #todo: somehow optimise this
     for thread in threads:
@@ -66,7 +85,7 @@ def view_forum(forum_id):
             WHERE parent = ?
             GROUP BY forums.id
             ORDER BY name ASC
-            """,(forum_id,)).fetchall()
+            """,(forum['id'],)).fetchall()
     subforums = []
     for s in subforums_rows:
         a={}
@@ -75,7 +94,6 @@ def view_forum(forum_id):
             a['updated'] = datetime.datetime.fromisoformat(a['updated'])
         subforums.append(a)
         
-
     return render_template("view_forum.html",
             forum=forum,
             subforums=subforums,
@@ -83,10 +101,10 @@ def view_forum(forum_id):
             thread_tags=thread_tags,
             )
 
-@bp.route("/<int:forum_id>/create_thread",methods=("GET","POST"))
-def create_thread(forum_id):
+@forum_route("create_thread",methods=("GET","POST"))
+def create_thread(forum):
     db = get_db()
-    forum = db.execute("SELECT * FROM forums WHERE id = ?",(forum_id,)).fetchone()
+    forum = db.execute("SELECT * FROM forums WHERE id = ?",(forum['id'],)).fetchone()
     if forum is None:
         flash("that forum doesn't exist")
         return redirect(url_for('index'))
@@ -106,7 +124,7 @@ def create_thread(forum_id):
             cur = db.cursor()
             cur.execute(
                 "INSERT INTO threads (title,creator,created,updated,forum) VALUES (?,?,current_timestamp,current_timestamp,?);",
-                (title,g.user,forum_id)
+                (title,g.user,forum['id'])
             )
             thread_id = cur.lastrowid
             cur.execute(
diff --git a/apioforum/roles.py b/apioforum/roles.py
index ae193a7..ab273c8 100644
--- a/apioforum/roles.py
+++ b/apioforum/roles.py
@@ -65,3 +65,12 @@ def get_forum_roles(forum_id):
             SELECT * FROM role_config WHERE forum = ?
             """,(a['id'],)).fetchall()
     return set(r['role'] for r in configs)
+
+def has_permission(forum_id, user, permission):
+    role = get_user_role(forum_id, user) if user != None else "other"
+    config = get_role_config(forum_id, role)
+    return config[permission]
+
+def is_bureaucrat(forum_id, user):
+    if user == None: return False
+    return get_user_role(forum_id, user) == "bureaucrat"
diff --git a/apioforum/templates/view_forum.html b/apioforum/templates/view_forum.html
index d3d09e1..98d2110 100644
--- a/apioforum/templates/view_forum.html
+++ b/apioforum/templates/view_forum.html
@@ -8,10 +8,11 @@
 {%endblock%}
 
 {%block content%}
-{% if forum.description %}
 {{forum.description|md|safe}}
-<hr/>
+{% if is_bureaucrat(forum.id, g.user) %}
+	<p><a class="actionbutton" href="{{url_for('forum.edit_roles')}}">role/permission settings</a></p>
 {% endif %}
+<hr/>
 
 {% if subforums %}
 <h2>subforæ</h2>
@@ -43,6 +44,8 @@
 {% else %}
 <p>please log in to create a new thread</p>
 {% endif %}
+
+{% if has_permission(forum.id, g.user, "p_view_threads") %}
 <div class="thread-list">
 	{%for thread in threads%}
 		<div class="listing">
@@ -80,5 +83,8 @@
 		</div>
 	{%endfor%}
 </div>
+{% else %}
+<p>you do not have permission to view threads in this forum</p>
+{% endif %}
 
 {%endblock%}