From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 1 Sep 2018 14:53:42 +0000 (+0100)
Subject: blog: Only allow to edit own posts
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8a81a709e78dd8763798981f1e38bcad41725e9;p=ipfire.org.git

blog: Only allow to edit own posts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/backend/blog.py b/src/backend/blog.py
index 71f3cbae..3a0e2e09 100644
--- a/src/backend/blog.py
+++ b/src/backend/blog.py
@@ -299,3 +299,7 @@ class Post(misc.Object):
 	def release(self):
 		return self.backend.releases._get_release("SELECT * FROM releases \
 			WHERE published IS NOT NULL AND published <= NOW() AND blog_id = %s", self.id)
+
+	def is_editable(self, editor):
+		# Authors can edit their own posts
+		return self.author == editor
diff --git a/src/web/blog.py b/src/web/blog.py
index 22cb6da9..59168af1 100644
--- a/src/web/blog.py
+++ b/src/web/blog.py
@@ -122,7 +122,9 @@ class EditHandler(base.BaseHandler):
 		if not post:
 			raise tornado.web.HTTPError(404)
 
-		# XXX check if post is editable
+		# Check if post is editable
+		if not post.is_editable(self.current_user):
+			raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
 
 		self.render("blog/compose.html", post=post)
 
@@ -132,7 +134,9 @@ class EditHandler(base.BaseHandler):
 		if not post:
 			raise tornado.web.HTTPError(404)
 
-		# XXX check if post is editable
+		# Check if post is editable
+		if not post.is_editable(self.current_user):
+			raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
 
 		with self.db.transaction():
 			# Update title