From 6a5c57f2b222e406ff552afad52bc0c8c21fad2c Mon Sep 17 00:00:00 2001 From: Markos Gogoulos Date: Tue, 20 Apr 2021 21:52:09 +0300 Subject: [PATCH] fix permission for user deletion (#127) --- cms/permissions.py | 5 ++++- templates/config/core/user.html | 2 +- users/views.py | 14 +++++++------- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/cms/permissions.py b/cms/permissions.py index 1556164..ad5741e 100644 --- a/cms/permissions.py +++ b/cms/permissions.py @@ -24,7 +24,10 @@ class IsUserOrManager(permissions.BasePermission): if is_mediacms_manager(request.user): return True - return obj.user == request.user + if hasattr(obj, 'user'): + return obj.user == request.user + else: + return obj == request.user class IsUserOrEditor(permissions.BasePermission): diff --git a/templates/config/core/user.html b/templates/config/core/user.html index 096eccd..b2e72cc 100644 --- a/templates/config/core/user.html +++ b/templates/config/core/user.html @@ -15,7 +15,7 @@ MediaCMS.user = { addComment: true, deleteComment: {% if CAN_DELETE_COMMENTS %}true{% else %}false{% endif %}, editProfile: {% if CAN_EDIT %}true{% else %}false{% endif %}, - deleteProfile: {% if CAN_DELETE_PROFILE %}true{% else %}false{% endif %}, + deleteProfile: {% if CAN_DELETE %}true{% else %}false{% endif %}, manageMedia: {% if IS_MEDIACMS_ADMIN or IS_MEDIACMS_MANAGER or IS_MEDIACMS_EDITOR %}true{% else %}false{% endif %}, manageUsers: {% if IS_MEDIACMS_ADMIN or IS_MEDIACMS_MANAGER %}true{% else %}false{% endif %}, manageComments: {% if IS_MEDIACMS_ADMIN or IS_MEDIACMS_MANAGER or IS_MEDIACMS_EDITOR %}true{% else %}false{% endif %}, diff --git a/users/views.py b/users/views.py index 50f2da8..1c840f1 100644 --- a/users/views.py +++ b/users/views.py @@ -59,10 +59,10 @@ def view_user_media(request, username): context["user"] = user context["CAN_EDIT"] = ( True - if ((user and user == request.user) or request.user.is_superuser) + if ((user and user == request.user) or is_mediacms_manager(request.user)) else False ) - context["CAN_DELETE"] = True if request.user.is_superuser else False + context["CAN_DELETE"] = True if is_mediacms_manager(request.user) else False context["SHOW_CONTACT_FORM"] = ( True if (user.allow_contact or is_mediacms_editor(request.user)) else False ) @@ -78,10 +78,10 @@ def view_user_playlists(request, username): context["user"] = user context["CAN_EDIT"] = ( True - if ((user and user == request.user) or request.user.is_superuser) + if ((user and user == request.user) or is_mediacms_manager(request.user)) else False ) - context["CAN_DELETE"] = True if request.user.is_superuser else False + context["CAN_DELETE"] = True if is_mediacms_manager(request.user) else False context["SHOW_CONTACT_FORM"] = ( True if (user.allow_contact or is_mediacms_editor(request.user)) else False ) @@ -98,10 +98,10 @@ def view_user_about(request, username): context["user"] = user context["CAN_EDIT"] = ( True - if ((user and user == request.user) or request.user.is_superuser) + if ((user and user == request.user) or is_mediacms_manager(request.user)) else False ) - context["CAN_DELETE"] = True if request.user.is_superuser else False + context["CAN_DELETE"] = True if is_mediacms_manager(request.user) else False context["SHOW_CONTACT_FORM"] = ( True if (user.allow_contact or is_mediacms_editor(request.user)) else False ) @@ -136,7 +136,7 @@ def view_channel(request, friendly_token): context["user"] = user context["CAN_EDIT"] = ( True - if ((user and user == request.user) or request.user.is_superuser) + if ((user and user == request.user) or is_mediacms_manager(request.user)) else False ) return render(request, "cms/channel.html", context)