diff options
-rw-r--r-- | apioforum/__init__.py | 2 | ||||
-rw-r--r-- | apioforum/forum.py | 42 | ||||
-rw-r--r-- | apioforum/roles.py | 9 | ||||
-rw-r--r-- | apioforum/templates/view_forum.html | 10 |
4 files changed, 49 insertions, 14 deletions
diff --git a/apioforum/__init__.py b/apioforum/__init__.py index 30dd813..7c99c0c 100644 --- a/apioforum/__init__.py +++ b/apioforum/__init__.py @@ -48,6 +48,8 @@ def create_app(): return dict(path_for_next=p) app.jinja_env.globals.update(forum_path=forum.forum_path) + from .roles import has_permission, is_bureaucrat, + app.jinja_env.globals.update(has_permission=has_permission,is_bureaucrat=is_bureaucrat) from .mdrender import render @app.template_filter('md') diff --git a/apioforum/forum.py b/apioforum/forum.py index ed7e2b7..5c6f5bf 100644 --- a/apioforum/forum.py +++ b/apioforum/forum.py @@ -8,8 +8,7 @@ from flask import ( from .db import get_db from .mdrender import render -from .roles import get_forum_roles -from .roles import permissions as role_permissions +from .roles import get_forum_roles,has_permission,is_bureaucrat from sqlite3 import OperationalError import datetime @@ -32,10 +31,30 @@ def forum_path(forum_id): ancestors.reverse() return ancestors -@bp.route("/<int:forum_id>") -def view_forum(forum_id): +def forum_route(relative_path, **kwargs): + def decorator(f): + path = "/<int:forum_id>" + if relative_path != "": + path += "/" + relative_path + + @bp.route(path, **kwargs) + def wrapper(forum_id, *args, **kwargs): + db = get_db() + forum = db.execute("SELECT * FROM forums WHERE id = ?", + (forum_id,)).fetchone() + if forum == None: + abort(404) + return f(forum, *args, **kwargs) + +def requires_permission(permission): + def decorator(f): + def wrapper(forum, *args, **kwargs): + if not has_permission(forum['id'], g.user, permission): + abort(403) + +@forum_route("") +def view_forum(forum): db = get_db() - forum = db.execute("SELECT * FROM forums WHERE id = ?",(forum_id,)).fetchone() threads = db.execute( """SELECT threads.id, threads.title, threads.creator, threads.created, @@ -49,7 +68,7 @@ def view_forum(forum_id): INNER JOIN number_of_posts ON number_of_posts.thread = threads.id WHERE threads.forum = ? ORDER BY threads.updated DESC; - """,(forum_id,)).fetchall() + """,(forum['id'],)).fetchall() thread_tags = {} #todo: somehow optimise this for thread in threads: @@ -66,7 +85,7 @@ def view_forum(forum_id): WHERE parent = ? GROUP BY forums.id ORDER BY name ASC - """,(forum_id,)).fetchall() + """,(forum['id'],)).fetchall() subforums = [] for s in subforums_rows: a={} @@ -75,7 +94,6 @@ def view_forum(forum_id): a['updated'] = datetime.datetime.fromisoformat(a['updated']) subforums.append(a) - return render_template("view_forum.html", forum=forum, subforums=subforums, @@ -83,10 +101,10 @@ def view_forum(forum_id): thread_tags=thread_tags, ) -@bp.route("/<int:forum_id>/create_thread",methods=("GET","POST")) -def create_thread(forum_id): +@forum_route("create_thread",methods=("GET","POST")) +def create_thread(forum): db = get_db() - forum = db.execute("SELECT * FROM forums WHERE id = ?",(forum_id,)).fetchone() + forum = db.execute("SELECT * FROM forums WHERE id = ?",(forum['id'],)).fetchone() if forum is None: flash("that forum doesn't exist") return redirect(url_for('index')) @@ -106,7 +124,7 @@ def create_thread(forum_id): cur = db.cursor() cur.execute( "INSERT INTO threads (title,creator,created,updated,forum) VALUES (?,?,current_timestamp,current_timestamp,?);", - (title,g.user,forum_id) + (title,g.user,forum['id']) ) thread_id = cur.lastrowid cur.execute( diff --git a/apioforum/roles.py b/apioforum/roles.py index ae193a7..ab273c8 100644 --- a/apioforum/roles.py +++ b/apioforum/roles.py @@ -65,3 +65,12 @@ def get_forum_roles(forum_id): SELECT * FROM role_config WHERE forum = ? """,(a['id'],)).fetchall() return set(r['role'] for r in configs) + +def has_permission(forum_id, user, permission): + role = get_user_role(forum_id, user) if user != None else "other" + config = get_role_config(forum_id, role) + return config[permission] + +def is_bureaucrat(forum_id, user): + if user == None: return False + return get_user_role(forum_id, user) == "bureaucrat" diff --git a/apioforum/templates/view_forum.html b/apioforum/templates/view_forum.html index d3d09e1..98d2110 100644 --- a/apioforum/templates/view_forum.html +++ b/apioforum/templates/view_forum.html @@ -8,10 +8,11 @@ {%endblock%} {%block content%} -{% if forum.description %} {{forum.description|md|safe}} -<hr/> +{% if is_bureaucrat(forum.id, g.user) %} + <p><a class="actionbutton" href="{{url_for('forum.edit_roles')}}">role/permission settings</a></p> {% endif %} +<hr/> {% if subforums %} <h2>subforæ</h2> @@ -43,6 +44,8 @@ {% else %} <p>please log in to create a new thread</p> {% endif %} + +{% if has_permission(forum.id, g.user, "p_view_threads") %} <div class="thread-list"> {%for thread in threads%} <div class="listing"> @@ -80,5 +83,8 @@ </div> {%endfor%} </div> +{% else %} +<p>you do not have permission to view threads in this forum</p> +{% endif %} {%endblock%} |