def release(self):
return self.backend.releases._get_release("SELECT * FROM releases \
WHERE published IS NOT NULL AND published <= NOW() AND blog_id = %s", self.id)
+
+ def is_editable(self, editor):
+ # Authors can edit their own posts
+ return self.author == editor
if not post:
raise tornado.web.HTTPError(404)
- # XXX check if post is editable
+ # Check if post is editable
+ if not post.is_editable(self.current_user):
+ raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
self.render("blog/compose.html", post=post)
if not post:
raise tornado.web.HTTPError(404)
- # XXX check if post is editable
+ # Check if post is editable
+ if not post.is_editable(self.current_user):
+ raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
with self.db.transaction():
# Update title