From e8a81a709e78dd8763798981f1e38bcad41725e9 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 1 Sep 2018 15:53:42 +0100
Subject: [PATCH] blog: Only allow to edit own posts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/backend/blog.py | 4 ++++
 src/web/blog.py     | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/backend/blog.py b/src/backend/blog.py
index 71f3cbae..3a0e2e09 100644
--- a/src/backend/blog.py
+++ b/src/backend/blog.py
@@ -299,3 +299,7 @@ class Post(misc.Object):
 	def release(self):
 		return self.backend.releases._get_release("SELECT * FROM releases \
 			WHERE published IS NOT NULL AND published <= NOW() AND blog_id = %s", self.id)
+
+	def is_editable(self, editor):
+		# Authors can edit their own posts
+		return self.author == editor
diff --git a/src/web/blog.py b/src/web/blog.py
index 22cb6da9..59168af1 100644
--- a/src/web/blog.py
+++ b/src/web/blog.py
@@ -122,7 +122,9 @@ class EditHandler(base.BaseHandler):
 		if not post:
 			raise tornado.web.HTTPError(404)
 
-		# XXX check if post is editable
+		# Check if post is editable
+		if not post.is_editable(self.current_user):
+			raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
 
 		self.render("blog/compose.html", post=post)
 
@@ -132,7 +134,9 @@ class EditHandler(base.BaseHandler):
 		if not post:
 			raise tornado.web.HTTPError(404)
 
-		# XXX check if post is editable
+		# Check if post is editable
+		if not post.is_editable(self.current_user):
+			raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
 
 		with self.db.transaction():
 			# Update title
-- 
2.47.3