Merge branch 'master' into upstream-master

Conflicts:
	mediagoblin/templates/mediagoblin/base.html
	mediagoblin/templates/mediagoblin/user_pages/user.html

1 files changed, 22 insertions, 4 deletions

diff --git a/mediagoblin/user_pages/views.py b/mediagoblin/user_pages/views.py
index 64fa793e..c0553b18 100644
--- a/mediagoblin/user_pages/views.py
+++ b/mediagoblin/user_pages/views.py
@@ -286,11 +286,29 @@ def media_collect(request, media):
 
 
 #TODO: Why does @user_may_delete_media not implicate @require_active_login?
-@get_media_entry_by_id
-@require_active_login
-@user_may_delete_media
-def media_confirm_delete(request, media):
 
+@require_active_login
+def media_confirm_delete(request):
+    
+    allowed_state = [u'failed', u'processed']
+    media = None
+    for media_state in allowed_state:
+        media = request.db.MediaEntry.query.filter_by(id=request.matchdict['media_id'], state=media_state).first()
+        if media:
+            break
+    
+    if not media:
+        return render_404(request)
+    
+    given_username = request.matchdict.get('user')
+    if given_username and (given_username != media.get_uploader.username):
+        return render_404(request)
+    
+    uploader_id = media.uploader
+    if not (request.user.is_admin or
+            request.user.id == uploader_id):
+        raise Forbidden()
+    
     form = user_forms.ConfirmDeleteForm(request.form)
 
     if request.method == 'POST' and form.validate():