aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--mediagoblin/decorators.py21
1 files changed, 6 insertions, 15 deletions
diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index c3d64327..f1b5d229 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -51,25 +51,16 @@ def require_active_login(controller):
return _make_safe(new_controller_func, controller)
+
def user_may_delete_media(controller):
"""
- Require user ownership of the MediaEntry
-
- Originally:
-def may_delete_media(request, media):
- \"\"\"
- Check, if the request's user may edit the media details
- \"\"\"
- if media['uploader'] == request.user['_id']:
- return True
- if request.user['is_admin']:
- return True
- return False
+ Require user ownership of the MediaEntry to delete.
"""
def wrapper(request, *args, **kwargs):
- if not request.user['_id'] == request.db.MediaEntry.find_one(
- {'_id': ObjectId(
- request.matchdict['media'])}).uploader()['_id']:
+ uploader = request.db.MediaEntry.find_one(
+ {'_id': ObjectId(request.matchdict['media'])}).uploader()
+ if not (request.user['is_admin'] or
+ request.user['_id'] == uploader['_id']):
return exc.HTTPForbidden()
return controller(request, *args, **kwargs)
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-19 11:55:20 +0000