blog: Only allow to edit own posts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/backend/blog.py b/src/backend/blog.py
index 71f3cbae58c8d5fa1c878d8ddde06b63544207dd..3a0e2e098d45264522fdfe62da3853486625025c 100644 (file)
--- a/src/backend/blog.py
+++ b/src/backend/blog.py
@@ -299,3 +299,7 @@ class Post(misc.Object):
        def release(self):
                return self.backend.releases._get_release("SELECT * FROM releases \
                        WHERE published IS NOT NULL AND published <= NOW() AND blog_id = %s", self.id)
+
+       def is_editable(self, editor):
+               # Authors can edit their own posts
+               return self.author == editor

diff --git a/src/web/blog.py b/src/web/blog.py
index 22cb6da91960cb8de62932c0c6330de1bfacf668..59168af13faf5f1662dec96f24ef5be2ed044d7b 100644 (file)
--- a/src/web/blog.py
+++ b/src/web/blog.py
@@ -122,7 +122,9 @@ class EditHandler(base.BaseHandler):
                if not post:
                        raise tornado.web.HTTPError(404)
 
-               # XXX check if post is editable
+               # Check if post is editable
+               if not post.is_editable(self.current_user):
+                       raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
 
                self.render("blog/compose.html", post=post)
 
@@ -132,7 +134,9 @@ class EditHandler(base.BaseHandler):
                if not post:
                        raise tornado.web.HTTPError(404)
 
-               # XXX check if post is editable
+               # Check if post is editable
+               if not post.is_editable(self.current_user):
+                       raise tornado.web.HTTPError(403, "%s cannot edit %s" % (self.current_user, post))
 
                with self.db.transaction():
                        # Update title