From 53c5e0b028f8994a7987459c917e70ed81d6d0b2 Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Tue, 30 Aug 2011 22:37:54 -0500
Subject: [PATCH] Also allow admins to delete other users' media.

---
 mediagoblin/decorators.py | 21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index c3d64327..f1b5d229 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -51,25 +51,16 @@ def require_active_login(controller):
 
     return _make_safe(new_controller_func, controller)
 
+
 def user_may_delete_media(controller):
     """
-    Require user ownership of the MediaEntry
-
-    Originally:
-def may_delete_media(request, media):
-    \"\"\"
-    Check, if the request's user may edit the media details
-    \"\"\"
-    if media['uploader'] == request.user['_id']:
-        return True
-    if request.user['is_admin']:
-        return True
-    return False
+    Require user ownership of the MediaEntry to delete.
     """
     def wrapper(request, *args, **kwargs):
-        if not request.user['_id'] == request.db.MediaEntry.find_one(
-            {'_id': ObjectId(
-                    request.matchdict['media'])}).uploader()['_id']:
+        uploader = request.db.MediaEntry.find_one(
+            {'_id': ObjectId(request.matchdict['media'])}).uploader()
+        if not (request.user['is_admin'] or
+                request.user['_id'] == uploader['_id']):
             return exc.HTTPForbidden()
 
         return controller(request, *args, **kwargs)
-- 
2.25.1