add user action constraints

2020-10-26 00:17:26 +01:00 · 2020-10-26 00:17:26 +01:00 · 60f2397960
commit 60f2397960
parent 54e1bd3db6
3 changed files with 13 additions and 7 deletions
--- a/books/views.py
+++ b/books/views.py
@ -1,6 +1,6 @@
 import logging
 from django.shortcuts import render, get_object_or_404, redirect, reverse
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, permission_required
 from django.utils.translation import gettext_lazy as _
 from django.http import HttpResponseBadRequest, HttpResponseServerError
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
@ -200,6 +200,7 @@ def retrieve(request, id):
        return HttpResponseBadRequest()


+@permission_required('books.delete_book')
@login_required
 def delete(request, id):
    if request.method == 'GET':
@ -238,6 +239,8 @@ def create_update_mark(request):
        old_tags = None
        if pk:
            mark = get_object_or_404(BookMark, pk=pk)
+            if request.user != mark.owner:
+                return HttpResponseBadRequest()
            old_rating = mark.rating
            old_tags = mark.bookmark_tags.all()
            # update
@ -332,6 +335,8 @@ def retrieve_mark_list(request, book_id):
 def delete_mark(request, id):
    if request.method == 'POST':
        mark = get_object_or_404(BookMark, pk=id)
+        if request.user != mark.owner:
+            return HttpResponseBadRequest()
        book_id = mark.book.id
        try:
            with transaction.atomic():
@ -394,8 +399,6 @@ def create_review(request, book_id):
@mastodon_request_included
@login_required
 def update_review(request, id):
-    # owner check
-    # edited time
    if request.method == 'GET':
        review = get_object_or_404(BookReview, pk=id)
        if request.user != review.owner:
--- a/movies/models.py
+++ b/movies/models.py
@ -165,7 +165,7 @@ class Movie(Resource):

    def __str__(self):
        if self.year:
-            return self.title + f"{self.year}"  
+            return self.title + f"({self.year})"  
        else:
            return self.title

--- a/movies/views.py
+++ b/movies/views.py
@ -1,6 +1,6 @@
 import logging
 from django.shortcuts import render, get_object_or_404, redirect, reverse
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, permission_required
 from django.utils.translation import gettext_lazy as _
 from django.http import HttpResponseBadRequest, HttpResponseServerError
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
@ -202,6 +202,7 @@ def retrieve(request, id):
        return HttpResponseBadRequest()


+@permission_required("movies.delete_movie")
@login_required
 def delete(request, id):
    if request.method == 'GET':
@ -240,6 +241,8 @@ def create_update_mark(request):
        old_tags = None
        if pk:
            mark = get_object_or_404(MovieMark, pk=pk)
+            if request.user != mark.owner:
+                return HttpResponseBadRequest()
            old_rating = mark.rating
            old_tags = mark.moviemark_tags.all()
            # update
@ -335,6 +338,8 @@ def retrieve_mark_list(request, movie_id):
 def delete_mark(request, id):
    if request.method == 'POST':
        mark = get_object_or_404(MovieMark, pk=id)
+        if request.user != mark.owner:
+            return HttpResponseBadRequest()
        movie_id = mark.movie.id
        try:
            with transaction.atomic():
@ -397,8 +402,6 @@ def create_review(request, movie_id):
@mastodon_request_included
@login_required
 def update_review(request, id):
-    # owner check
-    # edited time
    if request.method == 'GET':
        review = get_object_or_404(MovieReview, pk=id)
        if request.user != review.owner: