Restrict changing display name to moderator and above

2018-05-21 22:31:50 +01:00 · 2018-05-21 22:31:50 +01:00 · 4841c66602
parent 0a72a38dd0
commit 4841c66602
3 changed files with 10 additions and 5 deletions
--- a/app/models.py
+++ b/app/models.py
@ -65,6 +65,7 @@ class Permission(enum.Enum):
 	APPROVE_RELEASE    = "APPROVE_RELEASE"
 	APPROVE_NEW        = "APPROVE_NEW"
 	CHANGE_RELEASE_URL = "CHANGE_RELEASE_URL"
+	CHANGE_DNAME       = "CHANGE_DNAME"
 	CHANGE_RANK        = "CHANGE_RANK"
 	CHANGE_EMAIL       = "CHANGE_EMAIL"
 	EDIT_EDITREQUEST   = "EDIT_EDITREQUEST"
@ -140,7 +141,7 @@ class User(db.Model, UserMixin):
 		# Members can edit their own packages, and editors can edit any packages
 		if perm == Permission.CHANGE_AUTHOR:
 			return user.rank.atLeast(UserRank.EDITOR)
-		elif perm == Permission.CHANGE_RANK:
+		elif perm == Permission.CHANGE_RANK or perm == Permission.CHANGE_DNAME:
 			return user.rank.atLeast(UserRank.MODERATOR)
 		elif perm == Permission.CHANGE_EMAIL:
 			return user == self or (user.rank.atLeast(UserRank.MODERATOR) and user.rank.atLeast(self.rank))
--- a/app/templates/users/user_profile_page.html
+++ b/app/templates/users/user_profile_page.html
@ -7,7 +7,7 @@
 {% block content %}

 <div class="box box_grey">
-	<h2>{{ user.username }}</h2>
+	<h2>{{ user.display_name }}</h2>

 	<table>
 		<tr>
@ -73,7 +73,9 @@
 				<div class="col-sm-6 col-md-5 col-lg-4">
 					{{ form.hidden_tag() }}

-					{{ render_field(form.display_name, tabindex=230) }}
+					{% if user.checkPerm(current_user, "CHANGE_DNAME") %}
+						{{ render_field(form.display_name, tabindex=230) }}
+					{% endif %}

 					{% if user.checkPerm(current_user, "CHANGE_EMAIL") %}
 						{{ render_field(form.email, tabindex=240) }}
--- a/app/views/users.py
+++ b/app/views/users.py
@ -50,14 +50,16 @@ def user_profile_page(username):
 		abort(404)

 	form = None
-	if user == current_user or user.checkPerm(current_user, Permission.CHANGE_RANK):
+	if user.checkPerm(current_user, Permission.CHANGE_DNAME) or \
+			user.checkPerm(current_user, Permission.CHANGE_EMAIL) or \
+			user.checkPerm(current_user, Permission.CHANGE_RANK):
 		# Initialize form
 		form = UserProfileForm(formdata=request.form, obj=user)

 		# Process valid POST
 		if request.method=="POST" and form.validate():
 			# Copy form fields to user_profile fields
-			if user == current_user:
+			if user.checkPerm(current_user, Permission.CHANGE_DNAME):
 				user.display_name = form["display_name"].data

 			if user.checkPerm(current_user, Permission.CHANGE_RANK):