From e8788b7f113d0cb08023025da0ba3648860fa499 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 26 Jul 2023 15:54:29 +0000
Subject: [PATCH] blog: Restrict access to editing pages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/web/blog.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/web/blog.py b/src/web/blog.py
index fe88fdae..92099d5d 100644
--- a/src/web/blog.py
+++ b/src/web/blog.py
@@ -60,6 +60,12 @@ class PostHandler(base.BaseHandler):
 
 
 class PublishHandler(base.BaseHandler):
+	@tornado.web.authenticated
+	def prepare(self):
+		# Check if the user has permissions
+		if not self.current_user.is_blog_author():
+			raise tornado.web.HTTPError(403)
+
 	@tornado.web.authenticated
 	def get(self, slug):
 		post = self.backend.blog.get_by_slug(slug, published=False)
@@ -102,6 +108,12 @@ class PublishHandler(base.BaseHandler):
 
 
 class DraftsHandler(base.BaseHandler):
+	@tornado.web.authenticated
+	def prepare(self):
+		# Check if the user has permissions
+		if not self.current_user.is_blog_author():
+			raise tornado.web.HTTPError(403)
+
 	@tornado.web.authenticated
 	def get(self):
 		drafts = self.backend.blog.get_drafts(author=self.current_user)
@@ -134,6 +146,12 @@ class YearHandler(base.BaseHandler):
 
 
 class ComposeHandler(base.BaseHandler):
+	@tornado.web.authenticated
+	def prepare(self):
+		# Check if the user has permissions
+		if not self.current_user.is_blog_author():
+			raise tornado.web.HTTPError(403)
+
 	@tornado.web.authenticated
 	def get(self):
 		self.render("blog/compose.html", post=None)
-- 
2.47.3