From a4d99164de42603b83b2a7ac6e594e5925108a32 Mon Sep 17 00:00:00 2001 From: citrons Date: Fri, 6 Aug 2021 22:54:59 +0000 Subject: logged out users are considered to have no permissions unless in a specific instance login is not required in which case they are treated as having the role "other". --- apioforum/roles.py | 5 +++-- apioforum/templates/view_forum.html | 2 +- apioforum/thread.py | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/apioforum/roles.py b/apioforum/roles.py index ae47e31..1e9b206 100644 --- a/apioforum/roles.py +++ b/apioforum/roles.py @@ -72,8 +72,9 @@ def get_forum_roles(forum_id): """,(a['id'],)).fetchall() return set(r['role'] for r in configs) -def has_permission(forum_id, user, permission): - role = get_user_role(forum_id, user) if user != None else "other" +def has_permission(forum_id, user, permission, login_required=True): + if user == None and login_required: return False + role = get_user_role(forum_id, user) if user else "other" if role == "bureaucrat": return True config = get_role_config(forum_id, role) return config[permission] diff --git a/apioforum/templates/view_forum.html b/apioforum/templates/view_forum.html index ff1af9b..a4ffac6 100644 --- a/apioforum/templates/view_forum.html +++ b/apioforum/templates/view_forum.html @@ -76,7 +76,7 @@ please log in to create a new thread {% endif %} -{% if has_permission(forum.id, g.user, "p_view_threads") %} +{% if has_permission(forum.id, g.user, "p_view_threads", login_required=False) %}
{%for thread in threads%}
diff --git a/apioforum/thread.py b/apioforum/thread.py index 0b0804e..a3a122a 100644 --- a/apioforum/thread.py +++ b/apioforum/thread.py @@ -21,7 +21,7 @@ def view_thread(thread_id): thread = db.execute("SELECT * FROM threads WHERE id = ?;",(thread_id,)).fetchone() if thread is None: abort(404) - if not has_permission(thread['forum'], g.user, "p_view_threads"): + if not has_permission(thread['forum'], g.user, "p_view_threads", False): abort(403) posts = db.execute(""" SELECT * FROM posts -- cgit v1.2.3