projects / mediagoblin.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Caution the admins about deleting the users' media though.
[mediagoblin.git] / mediagoblin / decorators.py
diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index c66049cac3feff3b6cedaa6e9ce2fabeb9512473..f1b5d2295877205c521ffaac1dcc16d8cfa8519a 100644 (file)
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -52,6 +52,22 @@ def require_active_login(controller):
     return _make_safe(new_controller_func, controller)
 
 
+def user_may_delete_media(controller):
+    """
+    Require user ownership of the MediaEntry to delete.
+    """
+    def wrapper(request, *args, **kwargs):
+        uploader = request.db.MediaEntry.find_one(
+            {'_id': ObjectId(request.matchdict['media'])}).uploader()
+        if not (request.user['is_admin'] or
+                request.user['_id'] == uploader['_id']):
+            return exc.HTTPForbidden()
+
+        return controller(request, *args, **kwargs)
+
+    return _make_safe(wrapper, controller)
+
+
 def uses_pagination(controller):
     """
     Check request GET 'page' key for wrong values
@@ -122,3 +138,4 @@ def get_media_entry_by_id(controller):
         return controller(request, media=media, *args, **kwargs)
 
     return _make_safe(wrapper, controller)
+
Unnamed repository; edit this file 'description' to name the repository.