Feature #403 - Ability to delete media entries - Fixes according to feedback

*   Moved `mediagoblin.confirm` stuff to `mediagoblin.user_pages`,
    templates too.
*   Removed route extension for `mediagoblin.confirm`
*   Created `delete_media_files` which deletes all media files
    on the public_store when the entry is deleted
*   Created a new decorator to check if a user has the permission
     to delete an entry.

1 files changed, 26 insertions, 0 deletions

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index c66049ca..c3d64327 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -51,6 +51,31 @@ def require_active_login(controller):
 
     return _make_safe(new_controller_func, controller)
 
+def user_may_delete_media(controller):
+    """
+    Require user ownership of the MediaEntry
+
+    Originally:
+def may_delete_media(request, media):
+    \"\"\"
+    Check, if the request's user may edit the media details
+    \"\"\"
+    if media['uploader'] == request.user['_id']:
+        return True
+    if request.user['is_admin']:
+        return True
+    return False
+    """
+    def wrapper(request, *args, **kwargs):
+        if not request.user['_id'] == request.db.MediaEntry.find_one(
+            {'_id': ObjectId(
+                    request.matchdict['media'])}).uploader()['_id']:
+            return exc.HTTPForbidden()
+
+        return controller(request, *args, **kwargs)
+
+    return _make_safe(wrapper, controller)
+
 
 def uses_pagination(controller):
     """
@@ -122,3 +147,4 @@ def get_media_entry_by_id(controller):
         return controller(request, media=media, *args, **kwargs)
 
     return _make_safe(wrapper, controller)
+