blog: Restrict access to editing pages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/web/blog.py b/src/web/blog.py
index fe88fdae844cf2fc9236b3706b6af4d58ecbcacf..92099d5d10428d4c26345db0b7838eb0da7de09d 100644 (file)
--- a/src/web/blog.py
+++ b/src/web/blog.py
@@ -60,6 +60,12 @@ class PostHandler(base.BaseHandler):
 
 
 class PublishHandler(base.BaseHandler):
+       @tornado.web.authenticated
+       def prepare(self):
+               # Check if the user has permissions
+               if not self.current_user.is_blog_author():
+                       raise tornado.web.HTTPError(403)
+
        @tornado.web.authenticated
        def get(self, slug):
                post = self.backend.blog.get_by_slug(slug, published=False)
@@ -102,6 +108,12 @@ class PublishHandler(base.BaseHandler):
 
 
 class DraftsHandler(base.BaseHandler):
+       @tornado.web.authenticated
+       def prepare(self):
+               # Check if the user has permissions
+               if not self.current_user.is_blog_author():
+                       raise tornado.web.HTTPError(403)
+
        @tornado.web.authenticated
        def get(self):
                drafts = self.backend.blog.get_drafts(author=self.current_user)
@@ -134,6 +146,12 @@ class YearHandler(base.BaseHandler):
 
 
 class ComposeHandler(base.BaseHandler):
+       @tornado.web.authenticated
+       def prepare(self):
+               # Check if the user has permissions
+               if not self.current_user.is_blog_author():
+                       raise tornado.web.HTTPError(403)
+
        @tornado.web.authenticated
        def get(self):
                self.render("blog/compose.html", post=None)