1 files changed, 18 insertions, 2 deletions

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index 5533e81d..804fab7e 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -20,6 +20,7 @@ from urlparse import urljoin
 from werkzeug.exceptions import Forbidden, NotFound
 from werkzeug.urls import url_quote
 
+from mediagoblin import mg_globals as mgg
 from mediagoblin.db.models import MediaEntry, User
 from mediagoblin.tools.response import redirect, render_404
 
@@ -69,7 +70,7 @@ def user_may_delete_media(controller):
     """
     @wraps(controller)
     def wrapper(request, *args, **kwargs):
-        uploader_id = MediaEntry.query.get(request.matchdict['media']).uploader
+        uploader_id = kwargs['media'].uploader
         if not (request.user.is_admin or
                 request.user.id == uploader_id):
             raise Forbidden()
@@ -209,12 +210,27 @@ def get_media_entry_by_id(controller):
     @wraps(controller)
     def wrapper(request, *args, **kwargs):
         media = MediaEntry.query.filter_by(
-                id=request.matchdict['media'],
+                id=request.matchdict['media_id'],
                 state=u'processed').first()
         # Still no media?  Okay, 404.
         if not media:
             return render_404(request)
 
+        given_username = request.matchdict.get('user')
+        if given_username and (given_username != media.get_uploader.username):
+            return render_404(request)
+
         return controller(request, media=media, *args, **kwargs)
 
     return wrapper
+
+
+def get_workbench(func):
+    """Decorator, passing in a workbench as kwarg which is cleaned up afterwards"""
+
+    @wraps(func)
+    def new_func(*args, **kwargs):
+        with mgg.workbench_manager.create() as workbench:
+            return func(*args, workbench=workbench, **kwargs)
+
+    return new_func