fix permission for user deletion (#127)

2024-11-22 08:13:33 +01:00 · 2021-04-20 21:52:09 +03:00 · 2021-04-20 21:52:09 +03:00 · 6a5c57f2b2
commit 6a5c57f2b2
parent 10f198fff3
3 changed files with 12 additions and 9 deletions
--- a/cms/permissions.py
+++ b/cms/permissions.py
@ -24,7 +24,10 @@ class IsUserOrManager(permissions.BasePermission):
        if is_mediacms_manager(request.user):
            return True

-        return obj.user == request.user
+        if hasattr(obj, 'user'):
+            return obj.user == request.user
+        else:
+            return obj == request.user


 class IsUserOrEditor(permissions.BasePermission):
--- a/templates/config/core/user.html
+++ b/templates/config/core/user.html
@ -15,7 +15,7 @@ MediaCMS.user = {
 		addComment: true,
 		deleteComment: {% if CAN_DELETE_COMMENTS %}true{% else %}false{% endif %},
 		editProfile: {% if CAN_EDIT %}true{% else %}false{% endif %},
-		deleteProfile: {% if CAN_DELETE_PROFILE %}true{% else %}false{% endif %},
+		deleteProfile: {% if CAN_DELETE %}true{% else %}false{% endif %},
 		manageMedia: {% if IS_MEDIACMS_ADMIN or IS_MEDIACMS_MANAGER or IS_MEDIACMS_EDITOR %}true{% else %}false{% endif %},
 		manageUsers: {% if IS_MEDIACMS_ADMIN or IS_MEDIACMS_MANAGER %}true{% else %}false{% endif %},
 		manageComments: {% if IS_MEDIACMS_ADMIN or IS_MEDIACMS_MANAGER or IS_MEDIACMS_EDITOR %}true{% else %}false{% endif %},
--- a/users/views.py
+++ b/users/views.py
@ -59,10 +59,10 @@ def view_user_media(request, username):
    context["user"] = user
    context["CAN_EDIT"] = (
        True
-        if ((user and user == request.user) or request.user.is_superuser)
+        if ((user and user == request.user) or is_mediacms_manager(request.user))
        else False
    )
-    context["CAN_DELETE"] = True if request.user.is_superuser else False
+    context["CAN_DELETE"] = True if is_mediacms_manager(request.user) else False
    context["SHOW_CONTACT_FORM"] = (
        True if (user.allow_contact or is_mediacms_editor(request.user)) else False
    )
@ -78,10 +78,10 @@ def view_user_playlists(request, username):
    context["user"] = user
    context["CAN_EDIT"] = (
        True
-        if ((user and user == request.user) or request.user.is_superuser)
+        if ((user and user == request.user) or is_mediacms_manager(request.user))
        else False
    )
-    context["CAN_DELETE"] = True if request.user.is_superuser else False
+    context["CAN_DELETE"] = True if is_mediacms_manager(request.user) else False
    context["SHOW_CONTACT_FORM"] = (
        True if (user.allow_contact or is_mediacms_editor(request.user)) else False
    )
@ -98,10 +98,10 @@ def view_user_about(request, username):
    context["user"] = user
    context["CAN_EDIT"] = (
        True
-        if ((user and user == request.user) or request.user.is_superuser)
+        if ((user and user == request.user) or is_mediacms_manager(request.user))
        else False
    )
-    context["CAN_DELETE"] = True if request.user.is_superuser else False
+    context["CAN_DELETE"] = True if is_mediacms_manager(request.user) else False
    context["SHOW_CONTACT_FORM"] = (
        True if (user.allow_contact or is_mediacms_editor(request.user)) else False
    )
@ -136,7 +136,7 @@ def view_channel(request, friendly_token):
    context["user"] = user
    context["CAN_EDIT"] = (
        True
-        if ((user and user == request.user) or request.user.is_superuser)
+        if ((user and user == request.user) or is_mediacms_manager(request.user))
        else False
    )
    return render(request, "cms/channel.html", context)