- request.user.get('status') == u'needs_email_verification':
- return redirect(request,
- 'mediagoblin.auth.verify_email_notice')
- elif not request.user or request.user.get('status') != u'active':
- return exc.HTTPFound(
- location="%s?next=%s" % (
- request.urlgen("mediagoblin.auth.login"),
- request.path_info))
+ request.user.status == u'needs_email_verification':
+ return redirect(
+ request, 'mediagoblin.user_pages.user_home',
+ user=request.user.username)
+ elif not request.user or request.user.status != u'active':
+ next_url = urljoin(
+ request.urlgen('mediagoblin.auth.login',
+ qualified=True),
+ request.url)
+
+ return redirect(request, 'mediagoblin.auth.login',
+ next=url_quote(next_url))
+
+ return controller(request, *args, **kwargs)
+
+ return new_controller_func
+
+def active_user_from_url(controller):
+ """Retrieve User() from <user> URL pattern and pass in as url_user=...
+
+ Returns a 404 if no such active user has been found"""
+ @wraps(controller)
+ def wrapper(request, *args, **kwargs):
+ user = User.query.filter_by(username=request.matchdict['user']).first()
+ if user is None:
+ return render_404(request)
+
+ return controller(request, *args, url_user=user, **kwargs)
+
+ return wrapper
+
+
+def user_may_delete_media(controller):
+ """
+ Require user ownership of the MediaEntry to delete.
+ """
+ @wraps(controller)
+ def wrapper(request, *args, **kwargs):
+ uploader_id = kwargs['media'].uploader
+ if not (request.user.is_admin or
+ request.user.id == uploader_id):
+ raise Forbidden()
+
+ return controller(request, *args, **kwargs)
+
+ return wrapper
+
+
+def user_may_alter_collection(controller):
+ """
+ Require user ownership of the Collection to modify.
+ """
+ @wraps(controller)
+ def wrapper(request, *args, **kwargs):
+ creator_id = request.db.User.find_one(
+ {'username': request.matchdict['user']}).id
+ if not (request.user.is_admin or
+ request.user.id == creator_id):
+ raise Forbidden()