From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Wed, 31 Aug 2011 03:37:54 +0000 (-0500)
Subject: Also allow admins to delete other users' media.
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=53c5e0b028f8994a7987459c917e70ed81d6d0b2;p=mediagoblin.git

Also allow admins to delete other users' media.
---

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index c3d64327..f1b5d229 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -51,25 +51,16 @@ def require_active_login(controller):
 
     return _make_safe(new_controller_func, controller)
 
+
 def user_may_delete_media(controller):
     """
-    Require user ownership of the MediaEntry
-
-    Originally:
-def may_delete_media(request, media):
-    \"\"\"
-    Check, if the request's user may edit the media details
-    \"\"\"
-    if media['uploader'] == request.user['_id']:
-        return True
-    if request.user['is_admin']:
-        return True
-    return False
+    Require user ownership of the MediaEntry to delete.
     """
     def wrapper(request, *args, **kwargs):
-        if not request.user['_id'] == request.db.MediaEntry.find_one(
-            {'_id': ObjectId(
-                    request.matchdict['media'])}).uploader()['_id']:
+        uploader = request.db.MediaEntry.find_one(
+            {'_id': ObjectId(request.matchdict['media'])}).uploader()
+        if not (request.user['is_admin'] or
+                request.user['_id'] == uploader['_id']):
             return exc.HTTPForbidden()
 
         return controller(request, *args, **kwargs)