From bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782 Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Mon, 5 Dec 2011 08:35:42 -0600
Subject: [PATCH] Update the delete item to use the _id after all... it's the
 safest way.

See http://bugs.foocorp.net/issues/695
---
 mediagoblin/decorators.py                                     | 2 +-
 mediagoblin/templates/mediagoblin/user_pages/media.html       | 2 +-
 .../mediagoblin/user_pages/media_confirm_delete.html          | 2 +-
 mediagoblin/tests/test_submission.py                          | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index 56dddb44..269b0c2e 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -58,7 +58,7 @@ def user_may_delete_media(controller):
     """
     def wrapper(request, *args, **kwargs):
         uploader = request.db.MediaEntry.find_one(
-            {'slug': request.matchdict['media']}).get_uploader()
+            {'_id': ObjectId(request.matchdict['media'])}).get_uploader()
         if not (request.user['is_admin'] or
                 request.user._id == uploader._id):
             return exc.HTTPForbidden()
diff --git a/mediagoblin/templates/mediagoblin/user_pages/media.html b/mediagoblin/templates/mediagoblin/user_pages/media.html
index c7818012..5039fb30 100644
--- a/mediagoblin/templates/mediagoblin/user_pages/media.html
+++ b/mediagoblin/templates/mediagoblin/user_pages/media.html
@@ -126,7 +126,7 @@
       <p>
         {% set delete_url = request.urlgen('mediagoblin.user_pages.media_confirm_delete',
                                    user= media.get_uploader().username,
-                                   media= media.slug) %}
+                                   media= media._id) %}
         <a href="{{ delete_url }}">{% trans %}Delete{% endtrans %}</a>
       </p>
     {% endif %}
diff --git a/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html b/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
index e36891d6..058351a5 100644
--- a/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
+++ b/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
@@ -23,7 +23,7 @@
 
   <form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
 		                  user=media.get_uploader().username,
-				  media=media.slug) }}"
+				  media=media._id) }}"
         method="POST" enctype="multipart/form-data">
     <div class="grid_8 prefix_1 suffix_1 edit_box form_box">
       <h1>
diff --git a/mediagoblin/tests/test_submission.py b/mediagoblin/tests/test_submission.py
index a3453f2f..7ea6c4bc 100644
--- a/mediagoblin/tests/test_submission.py
+++ b/mediagoblin/tests/test_submission.py
@@ -171,7 +171,7 @@ class TestSubmission:
             request.urlgen('mediagoblin.user_pages.media_confirm_delete',
                            # No work: user=media.uploader().username,
                            user=self.test_user['username'],
-                           media=media.slug),
+                           media=media._id),
             # no value means no confirm
             {})
 
@@ -191,7 +191,7 @@ class TestSubmission:
             request.urlgen('mediagoblin.user_pages.media_confirm_delete',
                            # No work: user=media.uploader().username,
                            user=self.test_user['username'],
-                           media=media.slug),
+                           media=media._id),
             {'confirm': 'y'})
 
         response.follow()
-- 
2.25.1