Added more checks if the user has the specified permission

flaskbb/app.py

@@ -29,7 +29,7 @@ from flaskbb.forum.views import forum
 from flaskbb.forum.models import *
 
 from flaskbb.extensions import db, login_manager, mail, cache #toolbar
-from flaskbb.helpers import time_delta_format, last_seen
+from flaskbb.helpers import time_delta_format, last_seen, can_moderate
 
 
 DEFAULT_BLUEPRINTS = (
@@ -149,34 +149,39 @@ def configure_template_filters(app):
         return post.user_id == user.id
 
     @app.template_filter()
-    def edit_post(user, post):
+    def edit_post(user, post, forum):
         """
         Check if the post can be edited by the user
         """
-        if not user.is_authenticated():
-            return False
-        if user.permissions['super_mod'] or user.permissions['admin']:
+        if can_moderate(user, forum):
             return True
         if post.user_id == user.id and user.permissions['editpost']:
             return True
         return False
 
     @app.template_filter()
-    def delete_post(user, post):
+    def delete_post(user, post, forum):
         """
         Check if the post can be edited by the user
         """
-        if not user.is_authenticated():
-            return False
-        if user.permissions['super_mod'] or user.permissions['admin']:
+        if can_moderate(user, forum):
             return True
         if post.user_id == user.id and user.permissions['deletepost']:
             return True
         return False
 
     @app.template_filter()
-    def post_reply(user):
-        if user.permissions['super_mod'] or user.permissions['admin']:
+    def delete_topic(user, post, forum):
+        if can_moderate(user, forum):
+            return True
+        if post.user_id == user.id and user.permissions['deletetopic']:
+            return True
+        return False
+
+
+    @app.template_filter()
+    def post_reply(user, forum):
+        if can_moderate(user, forum):
             return True
         if user.permissions['postreply']:
             return True
@@ -201,7 +206,6 @@ def configure_before_handlers(app):
     @app.before_request
     def get_user_permissions():
         current_user.permissions = current_user.get_permissions()
-        current_user.moderate_all = current_user.permissions['admin'] or current_user.permissions['super_mod']
 
 
 def configure_errorhandlers(app):

flaskbb/forum/models.py

@@ -192,11 +192,6 @@ class Forum(db.Model):
 
     moderators = db.Column(DenormalizedText)
 
-    def is_moderator(self, user_id):
-        if user_id in self.moderators:
-            return True
-        return False
-
     def add_moderator(self, user_id):
         self.moderators.add(user_id)
 

flaskbb/forum/views.py

@@ -16,7 +16,7 @@ from flask import (Blueprint, render_template, redirect, url_for, current_app,
                    request, flash)
 from flask.ext.login import login_required, current_user
 
-from flaskbb.helpers import last_seen
+from flaskbb.helpers import last_seen, can_moderate, check_perm
 from flaskbb.forum.models import Category, Forum, Topic, Post
 from flaskbb.forum.forms import QuickreplyForm, ReplyForm, NewTopicForm
 from flaskbb.user.models import User
@@ -77,11 +77,15 @@ def view_topic(topic_id):
     topic.save()
 
     form = None
-    if current_user.permissions['postreply'] or current_user.can_moderate:
-        form = QuickreplyForm()
-        if form.validate_on_submit():
-            post = form.save(current_user, topic)
-            return view_post(post.id)
+
+    if not topic.locked:
+        if check_perm(current_user, 'postreply') or \
+            can_moderate(current_user, topic.forum):
+
+            form = QuickreplyForm()
+            if form.validate_on_submit():
+                post = form.save(current_user, topic)
+                return view_post(post.id)
 
     return render_template("forum/topic.html", topic=topic, posts=posts,
                            per_page=current_app.config['POSTS_PER_PAGE'],
@@ -107,7 +111,8 @@ def view_post(post_id):
 def new_topic(forum_id):
     forum = Forum.query.filter_by(id=forum_id).first()
 
-    if not (current_user.permissions['posttopic'] or current_user.can_moderate):
+    if not check_perm(current_user, 'posttopic') or \
+        can_moderate(current_user, forum):
         flash("You do not have the permissions to create a new topic.")
         return redirect(url_for('forum.view_forum', forum_id=forum.id))
 
@@ -124,14 +129,16 @@ def new_topic(forum_id):
 @login_required
 def delete_topic(topic_id):
     topic = Topic.query.filter_by(id=topic_id).first()
-    if not (current_user.permissions['deletetopic'] or current_user.can_moderate):
+
+    if not check_perm(current_user, 'deletetopic') or \
+        can_moderate(current_user, topic.forum):
         flash("You do not have the permissions to delete the topic")
-        return redirect(url_for("forum.view_forum", forum=topic.forum_id))
+        return redirect(url_for("forum.view_forum", forum_id=topic.forum_id))
 
     involved_users = User.query.filter(Post.topic_id == topic.id,
                                        User.id == Post.user_id).all()
     topic.delete(users=involved_users)
-    return redirect(url_for("forum.view_forum", forum=topic.forum_id))
+    return redirect(url_for("forum.view_forum", forum_id=topic.forum_id))
 
 
 @forum.route("/topic/<int:topic_id>/post/new", methods=["POST", "GET"])
@@ -139,9 +146,14 @@ def delete_topic(topic_id):
 def new_post(topic_id):
     topic = Topic.query.filter_by(id=topic_id).first()
 
-    if not (current_user.permissions['postreply'] or current_user.can_moderate):
+    if topic.locked:
+        flash("The topic is locked.")
+        return redirect(url_for("forum.view_forum", forum_id=topic.forum_id))
+
+    if not check_perm(current_user, 'postreply') or \
+        can_moderate(current_user, topic.forum):
         flash("You do not have the permissions to delete the topic")
-        return redirect(url_for("forum.view_forum", forum=topic.forum_id))
+        return redirect(url_for("forum.view_forum", forum_id=topic.forum_id))
 
     form = ReplyForm()
     if form.validate_on_submit():
@@ -156,12 +168,18 @@ def new_post(topic_id):
 def edit_post(post_id):
     post = Post.query.filter_by(id=post_id).first()
 
+    if not check_perm(current_user, 'editpost', post.user_id, own=True) or \
+        can_moderate(current_user, post.topic.forum):
+
+        flash("You do not have the permissions to edit this post")
+        return redirect(url_for('forum.view_topic', topic_id=post.topic_id))
+
     form = ReplyForm(obj=post)
     if form.validate_on_submit():
         form.populate_obj(post)
         post.date_modified = datetime.datetime.utcnow()
         post.save()
-        return redirect(url_for('forum.view_topic', topic=post.topic.id))
+        return redirect(url_for('forum.view_topic', topic_id=post.topic.id))
     else:
         form.content.data = post.content
 
@@ -172,6 +190,13 @@ def edit_post(post_id):
 @login_required
 def delete_post(post_id):
     post = Post.query.filter_by(id=post_id).first()
+
+    if not check_perm(current_user, 'deletepost', post.user_id, own=True) or \
+        can_moderate(current_user, post.topic.forum):
+
+        flash("You do not have the permissions to edit this post")
+        return redirect(url_for('forum.view_topic', topic_id=post.topic_id))
+
     topic_id = post.topic_id
 
     post.delete()
@@ -179,7 +204,7 @@ def delete_post(post_id):
     # If the post was the first post in the topic, redirect to the forums
     if post.first_post:
         return redirect(url_for('forum.view_forum',
-                                forum=post.topic.forum_id))
+                                forum_id=post.topic.forum_id))
     return redirect(url_for('forum.view_topic', topic=topic_id))
 
 

flaskbb/helpers.py

@@ -17,11 +17,36 @@ from sqlalchemy.ext.mutable import Mutable
 from wtforms.widgets.core import Select, HTMLString, html_params
 
 
+def own_post(user, post_user):
+    if user.id == post_user.id:
+        return True
+    return False
+
+
+def check_perm(user, perm, post_user_id=None, own=False):
+    if user.permissions[perm]:
+        return True
+    if own:
+        return user.id == post_user_id
+    return False
+
+
+def can_moderate(user, forum):
+    if not user.is_authenticated():
+        return False
+    if user.permissions['super_mod'] or user.permissions['admin']:
+        return True
+    if user.permissions['mod'] and user.id in forum.moderators:
+        return True
+    return False
+
+
 def last_seen():
     now = datetime.datetime.utcnow()
     diff = now - datetime.timedelta(minutes=current_app.config['LAST_SEEN'])
     return diff
 
+
 def generate_random_pass(length=8):
     return "".join(chr(random.randint(33, 126)) for i in range(length))
 

flaskbb/templates/forum/topic.html

@@ -17,10 +17,10 @@
 </div> <!-- end span pagination -->
 
 <div class="pull-right" style="padding-bottom: 10px">
-    {% if current_user|post_reply() %}
+    {% if current_user|post_reply(topic.forum) and not topic.locked %}
     <a href="{{ url_for('forum.new_post', topic_id=topic.id) }}" class="btn btn-primary">Reply</a>
     {% endif %}
-    {% if current_user|delete_topic(topic) %}
+    {% if current_user|delete_topic(topic, topic.forum) %}
     <a href="{{ url_for('forum.delete_topic', topic_id=topic.id) }}" class="btn btn-primary">Delete Topic</a>
     {% endif %}
 </div>
@@ -101,10 +101,10 @@
                 </span>
 
                 <span class="pull-right">
-                    {% if current_user|edit_post(post) %}
+                    {% if current_user|edit_post(post, topic.forum) %}
                     <a href="{{ url_for('forum.edit_post', post_id=post.id) }}">Edit</a> |
                     {% endif %}
-                    {% if current_user|delete_post(post) %}
+                    {% if current_user|delete_post(post, topic.forum) %}
                     <a href="{{ url_for('forum.delete_post', post_id=post.id) }}">Delete</a> |
                     {% endif %}
                     <a href="#">Quote</a>
@@ -116,7 +116,7 @@
     </tbody>
 </table>
 
-{% if current_user|post_reply() %}
+{% if current_user|post_reply(topic.forum) and not topic.locked %}
 <form class="form" action="#" method="post">
     {{ form.hidden_tag() }}
     <div class="form-group">

flaskbb/user/models.py

@@ -23,10 +23,6 @@ groups_users = db.Table('groups_users',
         db.Column('user_id', db.Integer(), db.ForeignKey('users.id')),
         db.Column('group_id', db.Integer(), db.ForeignKey('groups.id')))
 
-moderators = db.Table('moderators',
-        db.Column('forum_id', db.Integer(), db.ForeignKey('forums.id')),
-        db.Column('user_id', db.Integer(), db.ForeignKey('users.id')))
-
 
 class Group(db.Model):
     __tablename__ = "groups"