uses new 'username' variable in querystring to specify the user to edit

Previously, this view only allowed editing of the logged-in user. Now you
  can specify the user to edit in the querystring. If you are an admin the
  view allows you to edit any user's profile, with a warning message. The
  warning only shows up if the admin is editing another user's profile.

Make sure to pass the username to this view at every step in the process

1 files changed, 15 insertions, 2 deletions

diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py
index 5a7aa4bd..64fa0eab 100644
--- a/mediagoblin/edit/views.py
+++ b/mediagoblin/edit/views.py
@@ -74,7 +74,18 @@ def edit_media(request, media):
 @require_active_login
 def edit_profile(request):
 
-    user = request.user
+    # admins may edit any user profile given a username in the querystring
+    edit_username = request.GET.get('username')
+    if request.user['is_admin'] and request.user['username'] != edit_username:
+        user = request.db.User.find_one({'username': edit_username})
+        # No need to warn again if admin just submitted an edited profile
+        if request.method != 'POST':
+            messages.add_message(
+                request, messages.WARNING,
+                'You are editing a user\'s profile. Proceed with caution.')
+    else:
+        user = request.user
+
     form = forms.EditProfileForm(request.POST,
         url = user.get('url'),
         bio = user.get('bio'))
@@ -87,7 +98,9 @@ def edit_profile(request):
             messages.add_message(request, 
             	                 messages.SUCCESS, 
             	                 'Profile edited!')
-            return redirect(request, "mediagoblin.edit.profile")
+            return redirect(request, 
+            	           "mediagoblin.edit.profile", 
+            	            username=edit_username)
 
     return render_to_response(
         request,