X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=mediagoblin%2Fdecorators.py;h=204ac47aaa71ae2b6db25fa8f466385bb0adb274;hb=243c3843bd574129caa7663e25d1a843b2d2dd30;hp=2e90274ec3960165e8330f50e53697d1daabc596;hpb=3cdf366acfb577e735abc7fee6c8395fa97c8b48;p=mediagoblin.git

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index 2e90274e..204ac47a 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -1,5 +1,5 @@
 # GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011 Free Software Foundation, Inc
+# Copyright (C) 2011 MediaGoblin contributors.  See AUTHORS.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -17,7 +17,7 @@
 
 from webob import exc
 
-from mediagoblin.util import redirect
+from mediagoblin.util import redirect, render_404
 from mediagoblin.db.util import ObjectId, InvalidId
 
 
@@ -52,6 +52,22 @@ def require_active_login(controller):
     return _make_safe(new_controller_func, controller)
 
 
+def user_may_delete_media(controller):
+    """
+    Require user ownership of the MediaEntry to delete.
+    """
+    def wrapper(request, *args, **kwargs):
+        uploader = request.db.MediaEntry.find_one(
+            {'_id': ObjectId(request.matchdict['media'])}).uploader()
+        if not (request.user['is_admin'] or
+                request.user['_id'] == uploader['_id']):
+            return exc.HTTPForbidden()
+
+        return controller(request, *args, **kwargs)
+
+    return _make_safe(wrapper, controller)
+
+
 def uses_pagination(controller):
     """
     Check request GET 'page' key for wrong values
@@ -60,9 +76,9 @@ def uses_pagination(controller):
         try:
             page = int(request.GET.get('page', 1))
             if page < 0:
-                return exc.HTTPNotFound()
+                return render_404(request)
         except ValueError:
-            return exc.HTTPNotFound()
+            return render_404(request)
 
         return controller(request, page=page, *args, **kwargs)
 
@@ -78,7 +94,7 @@ def get_user_media_entry(controller):
             {'username': request.matchdict['user']})
 
         if not user:
-            return exc.HTTPNotFound()
+            return render_404(request)
 
         media = request.db.MediaEntry.find_one(
             {'slug': request.matchdict['media'],
@@ -93,16 +109,17 @@ def get_user_media_entry(controller):
                      'state': 'processed',
                      'uploader': user['_id']})
             except InvalidId:
-                return exc.HTTPNotFound()
+                return render_404(request)
 
             # Still no media?  Okay, 404.
             if not media:
-                return exc.HTTPNotFound()
+                return render_404(request)
 
         return controller(request, media=media, *args, **kwargs)
 
     return _make_safe(wrapper, controller)
 
+
 def get_media_entry_by_id(controller):
     """
     Pass in a MediaEntry based off of a url component
@@ -113,11 +130,11 @@ def get_media_entry_by_id(controller):
                 {'_id': ObjectId(request.matchdict['media']),
                  'state': 'processed'})
         except InvalidId:
-            return exc.HTTPNotFound()
+            return render_404(request)
 
         # Still no media?  Okay, 404.
         if not media:
-            return exc.HTTPNotFound()
+            return render_404(request)
 
         return controller(request, media=media, *args, **kwargs)