1 files changed, 35 insertions, 11 deletions

diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py
index a9071495..f372fbb9 100644
--- a/mediagoblin/edit/views.py
+++ b/mediagoblin/edit/views.py
@@ -17,13 +17,13 @@
 
 from webob import exc
 
-from mediagoblin.util import render_to_response, redirect, clean_html
+from mediagoblin import messages
+from mediagoblin.util import (
+    render_to_response, redirect, cleaned_markdown_conversion)
 from mediagoblin.edit import forms
 from mediagoblin.edit.lib import may_edit_media
 from mediagoblin.decorators import require_active_login, get_user_media_entry
 
-import markdown
-
 
 @get_user_media_entry
 @require_active_login
@@ -50,12 +50,9 @@ def edit_media(request, media):
         else:
             media['title'] = request.POST['title']
             media['description'] = request.POST.get('description')
-            
-            md = markdown.Markdown(
-                safe_mode = 'escape')
-            media['description_html'] = clean_html(
-                md.convert(
-                    media['description']))
+
+            media['description_html'] = cleaned_markdown_conversion(
+                media['description'])
 
             media['slug'] = request.POST['slug']
             media.save()
@@ -63,6 +60,14 @@ def edit_media(request, media):
             return redirect(request, "mediagoblin.user_pages.media_home",
                 user=media.uploader()['username'], media=media['slug'])
 
+    if request.user['is_admin'] \
+            and media['uploader'] != request.user['_id'] \
+            and request.method != 'POST':
+        messages.add_message(
+            request, messages.WARNING,
+            "You are editing another user's media. Proceed with caution.")
+        
+
     return render_to_response(
         request,
         'mediagoblin/edit/edit.html',
@@ -73,7 +78,18 @@ def edit_media(request, media):
 @require_active_login
 def edit_profile(request):
 
-    user = request.user
+    # admins may edit any user profile given a username in the querystring
+    edit_username = request.GET.get('username')
+    if request.user['is_admin'] and request.user['username'] != edit_username:
+        user = request.db.User.find_one({'username': edit_username})
+        # No need to warn again if admin just submitted an edited profile
+        if request.method != 'POST':
+            messages.add_message(
+                request, messages.WARNING,
+                "You are editing a user's profile. Proceed with caution.")
+    else:
+        user = request.user
+
     form = forms.EditProfileForm(request.POST,
         url = user.get('url'),
         bio = user.get('bio'))
@@ -81,9 +97,17 @@ def edit_profile(request):
     if request.method == 'POST' and form.validate():
             user['url'] = request.POST['url']
             user['bio'] = request.POST['bio']
+
+            user['bio_html'] = cleaned_markdown_conversion(user['bio'])
+
             user.save()
 
-            return redirect(request, "index", user=user['username'])
+            messages.add_message(request, 
+            	                 messages.SUCCESS, 
+            	                 'Profile edited!')
+            return redirect(request,
+                           'mediagoblin.user_pages.user_home',
+            	            user=edit_username)
 
     return render_to_response(
         request,