From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 26 Jul 2023 15:54:29 +0000 (+0000)
Subject: blog: Restrict access to editing pages
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8788b7f113d0cb08023025da0ba3648860fa499;p=ipfire.org.git

blog: Restrict access to editing pages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/blog.py b/src/web/blog.py
index fe88fdae..92099d5d 100644
--- a/src/web/blog.py
+++ b/src/web/blog.py
@@ -60,6 +60,12 @@ class PostHandler(base.BaseHandler):
 
 
 class PublishHandler(base.BaseHandler):
+	@tornado.web.authenticated
+	def prepare(self):
+		# Check if the user has permissions
+		if not self.current_user.is_blog_author():
+			raise tornado.web.HTTPError(403)
+
 	@tornado.web.authenticated
 	def get(self, slug):
 		post = self.backend.blog.get_by_slug(slug, published=False)
@@ -102,6 +108,12 @@ class PublishHandler(base.BaseHandler):
 
 
 class DraftsHandler(base.BaseHandler):
+	@tornado.web.authenticated
+	def prepare(self):
+		# Check if the user has permissions
+		if not self.current_user.is_blog_author():
+			raise tornado.web.HTTPError(403)
+
 	@tornado.web.authenticated
 	def get(self):
 		drafts = self.backend.blog.get_drafts(author=self.current_user)
@@ -134,6 +146,12 @@ class YearHandler(base.BaseHandler):
 
 
 class ComposeHandler(base.BaseHandler):
+	@tornado.web.authenticated
+	def prepare(self):
+		# Check if the user has permissions
+		if not self.current_user.is_blog_author():
+			raise tornado.web.HTTPError(403)
+
 	@tornado.web.authenticated
 	def get(self):
 		self.render("blog/compose.html", post=None)