logged out users are considered to have no permissions unless in a specific instance login is not required in which case they are treated as having the role "other".

3 files changed, 5 insertions, 4 deletions

diff --git a/apioforum/roles.py b/apioforum/roles.py
index ae47e31..1e9b206 100644
--- a/apioforum/roles.py
+++ b/apioforum/roles.py
@@ -72,8 +72,9 @@ def get_forum_roles(forum_id):
             """,(a['id'],)).fetchall()
     return set(r['role'] for r in configs)
 
-def has_permission(forum_id, user, permission):
-    role = get_user_role(forum_id, user) if user != None else "other"
+def has_permission(forum_id, user, permission, login_required=True):
+    if user == None and login_required: return False
+    role = get_user_role(forum_id, user) if user else "other"
     if role == "bureaucrat": return True
     config = get_role_config(forum_id, role)
     return config[permission]
diff --git a/apioforum/templates/view_forum.html b/apioforum/templates/view_forum.html
index ff1af9b..a4ffac6 100644
--- a/apioforum/templates/view_forum.html
+++ b/apioforum/templates/view_forum.html
@@ -76,7 +76,7 @@
 please log in to create a new thread
 {% endif %}
 
-{% if has_permission(forum.id, g.user, "p_view_threads") %}
+{% if has_permission(forum.id, g.user, "p_view_threads", login_required=False) %}
 <div class="thread-list">
 	{%for thread in threads%}
 		<div class="listing">
diff --git a/apioforum/thread.py b/apioforum/thread.py
index 0b0804e..a3a122a 100644
--- a/apioforum/thread.py
+++ b/apioforum/thread.py
@@ -21,7 +21,7 @@ def view_thread(thread_id):
     thread = db.execute("SELECT * FROM threads WHERE id = ?;",(thread_id,)).fetchone()
     if thread is None:
         abort(404)
-    if not has_permission(thread['forum'], g.user, "p_view_threads"):
+    if not has_permission(thread['forum'], g.user, "p_view_threads", False):
         abort(403)
     posts = db.execute("""
         SELECT * FROM posts