diff options
Diffstat (limited to 'mediagoblin/decorators.py')
| -rw-r--r-- | mediagoblin/decorators.py | 21 |
1 files changed, 6 insertions, 15 deletions
diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py index c3d64327..f1b5d229 100644 --- a/mediagoblin/decorators.py +++ b/mediagoblin/decorators.py @@ -51,25 +51,16 @@ def require_active_login(controller): return _make_safe(new_controller_func, controller) + def user_may_delete_media(controller): """ - Require user ownership of the MediaEntry - - Originally: -def may_delete_media(request, media): - \"\"\" - Check, if the request's user may edit the media details - \"\"\" - if media['uploader'] == request.user['_id']: - return True - if request.user['is_admin']: - return True - return False + Require user ownership of the MediaEntry to delete. """ def wrapper(request, *args, **kwargs): - if not request.user['_id'] == request.db.MediaEntry.find_one( - {'_id': ObjectId( - request.matchdict['media'])}).uploader()['_id']: + uploader = request.db.MediaEntry.find_one( + {'_id': ObjectId(request.matchdict['media'])}).uploader() + if not (request.user['is_admin'] or + request.user['_id'] == uploader['_id']): return exc.HTTPForbidden() return controller(request, *args, **kwargs) |