"""
@wraps(controller)
def wrapper(request, *args, **kwargs):
- uploader_id = MediaEntry.query.get(request.matchdict['media']).uploader
+ uploader_id = kwargs['media'].uploader
if not (request.user.is_admin or
request.user.id == uploader_id):
raise Forbidden()
@wraps(controller)
def wrapper(request, *args, **kwargs):
media = MediaEntry.query.filter_by(
- id=request.matchdict['media'],
+ id=request.matchdict['media_id'],
state=u'processed').first()
# Still no media? Okay, 404.
if not media:
return render_404(request)
+ given_username = request.matchdict.get('user')
+ if given_username and (given_username != media.get_uploader.username):
+ return render_404(request)
+
return controller(request, media=media, *args, **kwargs)
return wrapper
from mediagoblin.edit import forms
from mediagoblin.edit.lib import may_edit_media
from mediagoblin.decorators import (require_active_login, active_user_from_url,
+ get_media_entry_by_id,
get_user_media_entry, user_may_alter_collection, get_user_collection)
from mediagoblin.tools.response import render_to_response, redirect
from mediagoblin.tools.translate import pass_to_ugettext as _
import mimetypes
-@get_user_media_entry
+@get_media_entry_by_id
@require_active_login
def edit_media(request, media):
if not may_edit_media(request, media):
<form action="{{ request.urlgen('mediagoblin.edit.edit_media',
user= media.get_uploader.username,
- media= media.id) }}"
+ media_id=media.id) }}"
method="POST" enctype="multipart/form-data">
<div class="form_box_xl edit_box">
<h1>{% trans media_title=media.title %}Editing {{ media_title }}{% endtrans %}</h1>
request.user.is_admin) %}
{% set edit_url = request.urlgen('mediagoblin.edit.edit_media',
user= media.get_uploader.username,
- media= media.id) %}
+ media_id=media.id) %}
<a class="button_action" href="{{ edit_url }}">{% trans %}Edit{% endtrans %}</a>
{% set delete_url = request.urlgen('mediagoblin.user_pages.media_confirm_delete',
user= media.get_uploader.username,
- media= media.id) %}
+ media_id=media.id) %}
<a class="button_action" href="{{ delete_url }}">{% trans %}Delete{% endtrans %}</a>
{% endif %}
{% autoescape False %}
{% if request.user %}
<form action="{{ request.urlgen('mediagoblin.user_pages.media_post_comment',
user= media.get_uploader.username,
- media=media.id) }}" method="POST" id="form_comment">
+ media_id=media.id) }}" method="POST" id="form_comment">
<p>
{% trans %}You can use <a href="http://daringfireball.net/projects/markdown/basics">Markdown</a> for formatting.{% endtrans %}
</p>
<form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
user=media.get_uploader.username,
- media=media.id) }}"
+ media_id=media.id) }}"
method="POST" enctype="multipart/form-data">
<div class="form_box">
<h1>
media = self.check_media(request, {'title': u'Balanced Goblin'}, 1)
media_id = media.id
+ # At least render the edit page
+ edit_url = request.urlgen(
+ 'mediagoblin.edit.edit_media',
+ user=self.test_user.username, media_id=media_id)
+ self.test_app.get(edit_url)
+
# Add a comment, so we can test for its deletion later.
self.check_comments(request, media_id, 0)
comment_url = request.urlgen(
'mediagoblin.user_pages.media_post_comment',
- user=self.test_user.username, media=media_id)
+ user=self.test_user.username, media_id=media_id)
response = self.do_post({'comment_content': 'i love this test'},
url=comment_url, do_follow=True)[0]
self.check_comments(request, media_id, 1)
# ---------------------------------------------------
delete_url = request.urlgen(
'mediagoblin.user_pages.media_confirm_delete',
- user=self.test_user.username, media=media_id)
+ user=self.test_user.username, media_id=media_id)
# Empty data means don't confirm
response = self.do_post({}, do_follow=True, url=delete_url)[0]
media = self.check_media(request, {'title': u'Balanced Goblin'}, 1)
'mediagoblin.user_pages.views:media_home')
add_route('mediagoblin.user_pages.media_confirm_delete',
- '/u/<string:user>/m/<string:media>/confirm-delete/',
+ '/u/<string:user>/m/<int:media_id>/confirm-delete/',
'mediagoblin.user_pages.views:media_confirm_delete')
# Submission handling of new comments. TODO: only allow for POST methods
add_route('mediagoblin.user_pages.media_post_comment',
- '/u/<string:user>/m/<string:media>/comment/add/',
+ '/u/<string:user>/m/<int:media_id>/comment/add/',
'mediagoblin.user_pages.views:media_post_comment')
add_route('mediagoblin.user_pages.user_gallery',
# Stray edit routes
add_route('mediagoblin.edit.edit_media',
- '/u/<string:user>/m/<string:media>/edit/',
+ '/u/<string:user>/m/<int:media_id>/edit/',
'mediagoblin.edit.views:edit_media')
add_route('mediagoblin.edit.attachments',
from mediagoblin.user_pages.lib import send_comment_email
from mediagoblin.decorators import (uses_pagination, get_user_media_entry,
+ get_media_entry_by_id,
require_active_login, user_may_delete_media, user_may_alter_collection,
get_user_collection, get_user_collection_item, active_user_from_url)
'app_config': mg_globals.app_config})
-@get_user_media_entry
+@get_media_entry_by_id
@require_active_login
def media_post_comment(request, media):
"""
#TODO: Why does @user_may_delete_media not implicate @require_active_login?
-@get_user_media_entry
+@get_media_entry_by_id
@require_active_login
@user_may_delete_media
def media_confirm_delete(request, media):
projects / mediagoblin.git / commitdiff