From 08f6bd8befa266d40f56b143193c8c1ca5fb2716 Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Sat, 11 Jul 2020 03:35:14 +0100
Subject: [PATCH] Move DELETE_REPLY permission to ThreadReply

---
 app/blueprints/threads/__init__.py |  2 +-
 app/models.py                      | 19 +++++++++++++++++--
 app/templates/macros/threads.html  |  2 +-
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/app/blueprints/threads/__init__.py b/app/blueprints/threads/__init__.py
index 28a7fde..113cdfa 100644
--- a/app/blueprints/threads/__init__.py
+++ b/app/blueprints/threads/__init__.py
@@ -126,7 +126,7 @@ def delete_reply(id):
 		flash("Cannot delete thread opening post!", "danger")
 		return redirect(thread.getViewURL())
 
-	if not thread.checkPerm(current_user, Permission.DELETE_REPLY):
+	if not reply.checkPerm(current_user, Permission.DELETE_REPLY):
 		abort(403)
 
 	if request.method == "GET":
diff --git a/app/models.py b/app/models.py
index 9e1840e..62ac1ee 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1105,7 +1105,7 @@ class Thread(db.Model):
 
 	def checkPerm(self, user, perm):
 		if not user.is_authenticated:
-			return not self.private
+			return perm == Permission.SEE_THREAD and not self.private
 
 		if type(perm) == str:
 			perm = Permission[perm]
@@ -1124,7 +1124,7 @@ class Thread(db.Model):
 		elif perm == Permission.COMMENT_THREAD:
 			return canSee and (not self.locked or user.rank.atLeast(UserRank.MODERATOR))
 
-		elif perm == Permission.LOCK_THREAD or perm == Permission.DELETE_REPLY:
+		elif perm == Permission.LOCK_THREAD:
 			return user.rank.atLeast(UserRank.MODERATOR)
 
 		else:
@@ -1137,6 +1137,21 @@ class ThreadReply(db.Model):
 	author_id  = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False)
 	created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
 
+	def checkPerm(self, user, perm):
+		if not user.is_authenticated:
+			return False
+
+		if type(perm) == str:
+			perm = Permission[perm]
+		elif type(perm) != Permission:
+			raise Exception("Unknown permission given to ThreadReply.checkPerm()")
+
+		if perm == Permission.DELETE_REPLY:
+			return user.rank.atLeast(UserRank.MODERATOR) and self.thread.replies[0] != self
+
+		else:
+			raise Exception("Permission {} is not related to threads".format(perm.name))
+
 
 class PackageReview(db.Model):
 	id         = db.Column(db.Integer, primary_key=True)
diff --git a/app/templates/macros/threads.html b/app/templates/macros/threads.html
index 32acbc4..e94cded 100644
--- a/app/templates/macros/threads.html
+++ b/app/templates/macros/threads.html
@@ -22,7 +22,7 @@
 				</div>
 
 				<div class="card-body">
-					{% if r != thread.replies[0] and thread.checkPerm(current_user, "DELETE_REPLY") %}
+					{% if r.checkPerm(current_user, "DELETE_REPLY") %}
 						<a class="float-right btn btn-secondary btn-sm"
 								href="{{ url_for('threads.delete_reply', id=thread.id, reply=r.id) }}">
 							<i class="fas fa-trash"></i>