Implement permissions properly

2018-03-20 03:16:46 +00:00 · 2018-03-20 03:16:46 +00:00 · 775850bbba
parent 5a3764f178
commit 775850bbba
3 changed files with 26 additions and 23 deletions
--- a/app/models.py
+++ b/app/models.py
@ -15,6 +15,15 @@ def title_to_url(title):
 def url_to_title(url):
 	return url.replace("_", " ")

+class UserRank(enum.Enum):
+	NEW_MEMBER = 0
+	MEMBER     = 1
+	EDITOR     = 2
+	ADMIN      = 3
+
+	def atLeast(self, min):
+		return self.value >= min.value
+
 class User(db.Model, UserMixin):
 	id = db.Column(db.Integer, primary_key=True)

@ -23,6 +32,8 @@ class User(db.Model, UserMixin):
 	password = db.Column(db.String(255), nullable=False, server_default='')
 	reset_password_token = db.Column(db.String(100), nullable=False, server_default='')

+	rank = db.Column(db.Enum(UserRank))
+
 	# Account linking
 	github_username = db.Column(db.String(50), nullable=True, unique=True)
 	forums_username = db.Column(db.String(50), nullable=True, unique=True)
@ -44,20 +55,11 @@ class User(db.Model, UserMixin):
 		self.username = username
 		self.confirmed_at = datetime.datetime.now() - datetime.timedelta(days=6000)
 		self.display_name = username
+		self.rank = UserRank.MEMBER

 	def isClaimed(self):
 		return self.password is not None and self.password != ""

-class Role(db.Model):
-	id          = db.Column(db.Integer(), primary_key=True)
-	name        = db.Column(db.String(50), unique=True)
-	description = db.Column(db.String(255))
-
-class UserRoles(db.Model):
-	id      = db.Column(db.Integer(), primary_key=True)
-	user_id = db.Column(db.Integer(), db.ForeignKey('user.id', ondelete='CASCADE'))
-	role_id = db.Column(db.Integer(), db.ForeignKey('role.id', ondelete='CASCADE'))
-
 class Permission(enum.Enum):
 	EDIT_PACKAGE   = "EDIT_PACKAGE"
 	APPROVE        = "APPROVE"
@ -69,14 +71,6 @@ class PackageType(enum.Enum):
 	GAME = "Game"
 	TXP  = "Texture Pack"

-	def getTitle(self):
-		if self == PackageType.MOD:
-			return "Mod"
-		elif self == PackageType.GAME:
-			return "Game"
-		else:
-			return "TXP"
-
 	@staticmethod
 	def fromName(name):
 		if name == "mod":
@ -124,16 +118,25 @@ class Package(db.Model):

 	def getDetailsURL(self):
 		return url_for("package_page",
-				type=self.type.getTitle().lower(),
+				type=self.type.value.lower(),
 				author=self.author.username, name=self.name)

 	def getEditURL(self):
 		return url_for("edit_package_page",
-				type=self.type.getTitle().lower(),
+				type=self.type.value.lower(),
 				author=self.author.username, name=self.name)

 	def checkPerm(self, user, perm):
-		return user == self.author
+		if type(perm) == str:
+			perm = Permission[perm]
+
+		isOwner = user == self.author
+		if perm == Permission.EDIT_PACKAGE or perm == Permission.APPROVE:
+			return user.rank.atLeast(UserRank.MEMBER if isOwner else UserRank.EDITOR)
+		elif perm == Permission.DELETE_PACKAGE or perm == Permission.CHANGE_AUTHOR:
+			return user.rank.atLeast(UserRank.EDITOR)
+		else:
+			return False

 # Setup Flask-User
 db_adapter = SQLAlchemyAdapter(db, User)        # Register the User model
--- a/app/templates/package_details.html
+++ b/app/templates/package_details.html
@ -15,7 +15,7 @@
 			</tr>
 			<tr>
 				<td>Type</td>
-				<td>{{ package.type.getTitle() }}</td>
+				<td>{{ package.type.value }}</td>
 			</tr>
 		</table>

--- a/app/templates/packages.html
+++ b/app/templates/packages.html
@ -7,7 +7,7 @@
 {% block content %}
 	<ul>
 		{% for p in packages %}
-			<li><a href="{{ url_for('package_page', type=p.type.getTitle()|lower, author=p.author.username, name=p.name) }}">
+			<li><a href="{{ p.getDetailsURL() }}">
 				{{ p.title }} by {{ p.author.display_name }}
 			</a></li>
 		{% else %}