Allow users to discard their own topics

2018-12-25 17:51:29 +00:00 · 2018-12-25 17:51:29 +00:00 · 09150a4dbb
parent c726f56b3e
commit 09150a4dbb
6 changed files with 63 additions and 36 deletions
--- a/app/models.py
+++ b/app/models.py
@ -79,6 +79,7 @@ class Permission(enum.Enum):
 	SEE_THREAD         = "SEE_THREAD"
 	CREATE_THREAD      = "CREATE_THREAD"
 	UNAPPROVE_PACKAGE  = "UNAPPROVE_PACKAGE"
+	TOPIC_DISCARD      = "TOPIC_DISCARD"

 	# Only return true if the permission is valid for *all* contexts
 	# See Package.checkPerm for package-specific contexts
@ -843,6 +844,21 @@ class ForumTopic(db.Model):
 			"created_at": self.created_at.isoformat(),
 		}

+	def checkPerm(self, user, perm):
+		if not user.is_authenticated:
+			return False
+
+		if type(perm) == str:
+			perm = Permission[perm]
+		elif type(perm) != Permission:
+			raise Exception("Unknown permission given to ForumTopic.checkPerm()")
+
+		if perm == Permission.TOPIC_DISCARD:
+			return self.author == user or user.rank.atLeast(UserRank.EDITOR)
+
+		else:
+			raise Exception("Permission {} is not related to topics".format(perm.name))
+

 # Setup Flask-User
 db_adapter = SQLAlchemyAdapter(db, User)        # Register the User model
--- a/app/public/static/topic_discard.js
+++ b/app/public/static/topic_discard.js
@ -0,0 +1,29 @@
+$(".topic-discard").click(function() {
+	var ele = $(this);
+	var tid = ele.attr("data-tid");
+	var discard = !ele.parent().parent().hasClass("discardtopic");
+	fetch(new Request("/api/topic_discard/?tid=" + tid +
+			"&discard=" + (discard ? "true" : "false"), {
+		method: "post",
+		credentials: "same-origin",
+		headers: {
+			"Accept": "application/json",
+			"X-CSRFToken": csrf_token,
+		},
+	})).then(function(response) {
+		response.text().then(function(txt) {
+			console.log(JSON.parse(txt));
+			if (JSON.parse(txt).discarded) {
+				ele.parent().parent().addClass("discardtopic");
+				ele.removeClass("btn-danger");
+				ele.addClass("btn-success");
+				ele.text("Show");
+			} else {
+				ele.parent().parent().removeClass("discardtopic");
+				ele.removeClass("btn-success");
+				ele.addClass("btn-danger");
+				ele.text("Discard");
+			}
+		}).catch(console.log)
+	}).catch(console.log)
+});
--- a/app/templates/macros/topics.html
+++ b/app/templates/macros/topics.html
@ -1,4 +1,4 @@
-{% macro render_topics_table(topics, show_author=True, show_discard=False) -%}
+{% macro render_topics_table(topics, show_author=True, show_discard=False, current_user=current_user) -%}
 <table class="table">
 	<tr>
 		<th></th>
@ -27,7 +27,7 @@
 					href="{{ url_for('create_edit_package_page', author=topic.author.username, repo=topic.getRepoURL(), forums=topic.topic_id, title=topic.title, bname=topic.name) }}">
 					Create
 				</a>
-				{% if show_discard %}
+				{% if show_discard and current_user.is_authenticated and topic.checkPerm(current_user, "TOPIC_DISCARD") %}
 					<a class="btn btn-{% if topic.discarded %}success{% else %}danger{% endif %} topic-discard" data-tid={{ topic.topic_id }}>
 						{% if topic.discarded %}
 							Show
--- a/app/templates/todo/topics.html
+++ b/app/templates/todo/topics.html
@ -59,7 +59,7 @@ Topics to be Added
 	</form>

 	{% from "macros/topics.html" import render_topics_table %}
-	{{ render_topics_table(topics, show_discard=True) }}
+	{{ render_topics_table(topics, show_discard=True, current_user=current_user) }}

 	<ul class="pagination mt-4">
 		<li class="page-item {% if not prev_url %}disabled{% endif %}">
@ -83,35 +83,5 @@ Topics to be Added
 	<script>
 		var csrf_token = "{{ csrf_token() }}";
 	</script>
-	<script>
-		$(".topic-discard").click(function() {
-			var ele = $(this);
-			var tid = ele.attr("data-tid");
-			var discard = !ele.parent().parent().hasClass("discardtopic");
-			fetch(new Request("{{ url_for('topic_set_discard') }}?tid=" + tid +
-					"&discard=" + (discard ? "true" : "false"), {
-				method: "post",
-				credentials: "same-origin",
-				headers: {
-					"Accept": "application/json",
-					"X-CSRFToken": csrf_token,
-				},
-			})).then(function(response) {
-				response.text().then(function(txt) {
-					console.log(JSON.parse(txt));
-					if (JSON.parse(txt).discarded) {
-						ele.parent().parent().addClass("discardtopic");
-						ele.removeClass("btn-danger");
-						ele.addClass("btn-success");
-						ele.text("Show");
-					} else {
-						ele.parent().parent().removeClass("discardtopic");
-						ele.removeClass("btn-success");
-						ele.addClass("btn-danger");
-						ele.text("Discard");
-					}
-				}).catch(console.log)
-			}).catch(console.log)
-		});
-	</script>
+	<script src="/static/topic_discard.js"></script>
 {% endblock %}
--- a/app/templates/users/user_profile_page.html
+++ b/app/templates/users/user_profile_page.html
@ -134,11 +134,20 @@

 		<p class="card-body">
 			List of your forum topics which do not have a matching package.
+			Topics with a strikethrough have beened marked as discarded.
 		</p>

 		{% from "macros/topics.html" import render_topics_table %}
-		{{ render_topics_table(topics_to_add, show_author=False) }}
+		{{ render_topics_table(topics_to_add, show_author=False, show_discard=True, current_user=current_user) }}
 	</div>
 {% endif %}

 {% endblock %}
+
+
+{% block scriptextra %}
+	<script>
+		var csrf_token = "{{ csrf_token() }}";
+	</script>
+	<script src="/static/topic_discard.js"></script>
+{% endblock %}
--- a/app/views/api.py
+++ b/app/views/api.py
@ -46,7 +46,7 @@ def api_topics_page():


@app.route("/api/topic_discard/", methods=["POST"])
-@rank_required(UserRank.EDITOR)
+@login_required
 def topic_set_discard():
 	tid = request.args.get("tid")
 	discard = request.args.get("discard")
@ -54,6 +54,9 @@ def topic_set_discard():
 		abort(400)

 	topic = ForumTopic.query.get(tid)
+	if not topic.checkPerm(current_user, Permission.TOPIC_DISCARD):
+		abort(403)
+
 	topic.discarded = discard == "true"
 	db.session.commit()