Merge remote-tracking branch 'refs/remotes/elrond/sql/final'

[mediagoblin.git] / mediagoblin / decorators.py

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index c66049cac3feff3b6cedaa6e9ce2fabeb9512473..83602c7063c1d3dd64fed18b2fe8a979c7e5b378 100644 (file)
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -1,5 +1,5 @@
 # GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011 Free Software Foundation, Inc
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -17,7 +17,7 @@
 
 from webob import exc
 
-from mediagoblin.util import redirect, render_404
+from mediagoblin.tools.response import redirect, render_404
 from mediagoblin.db.util import ObjectId, InvalidId
 
 
@@ -40,18 +40,34 @@ def require_active_login(controller):
                 request.user.get('status') == u'needs_email_verification':
             return redirect(
                 request, 'mediagoblin.user_pages.user_home',
-                user=request.user['username'])
+                user=request.user.username)
         elif not request.user or request.user.get('status') != u'active':
             return exc.HTTPFound(
                 location="%s?next=%s" % (
                     request.urlgen("mediagoblin.auth.login"),
-                    request.path_info))
+                    request.full_path))
 
         return controller(request, *args, **kwargs)
 
     return _make_safe(new_controller_func, controller)
 
 
+def user_may_delete_media(controller):
+    """
+    Require user ownership of the MediaEntry to delete.
+    """
+    def wrapper(request, *args, **kwargs):
+        uploader_id = request.db.MediaEntry.find_one(
+            {'_id': ObjectId(request.matchdict['media'])}).uploader
+        if not (request.user.is_admin or
+                request.user._id == uploader_id):
+            return exc.HTTPForbidden()
+
+        return controller(request, *args, **kwargs)
+
+    return _make_safe(wrapper, controller)
+
+
 def uses_pagination(controller):
     """
     Check request GET 'page' key for wrong values
@@ -79,11 +95,10 @@ def get_user_media_entry(controller):
 
         if not user:
             return render_404(request)
-
         media = request.db.MediaEntry.find_one(
             {'slug': request.matchdict['media'],
              'state': 'processed',
-             'uploader': user['_id']})
+             'uploader': user._id})
 
         # no media via slug?  Grab it via ObjectId
         if not media:
@@ -91,7 +106,7 @@ def get_user_media_entry(controller):
                 media = request.db.MediaEntry.find_one(
                     {'_id': ObjectId(request.matchdict['media']),
                      'state': 'processed',
-                     'uploader': user['_id']})
+                     'uploader': user._id})
             except InvalidId:
                 return render_404(request)
 
@@ -103,6 +118,7 @@ def get_user_media_entry(controller):
 
     return _make_safe(wrapper, controller)
 
+
 def get_media_entry_by_id(controller):
     """
     Pass in a MediaEntry based off of a url component