1 files changed, 64 insertions, 24 deletions

diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py
index 2d42ff0b..c656c63f 100644
--- a/mediagoblin/edit/views.py
+++ b/mediagoblin/edit/views.py
@@ -14,10 +14,10 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from webob import exc
 from cgi import FieldStorage
 from datetime import datetime
 
+from werkzeug.exceptions import Forbidden
 from werkzeug.utils import secure_filename
 
 from mediagoblin import messages
@@ -26,8 +26,9 @@ from mediagoblin import mg_globals
 from mediagoblin.auth import lib as auth_lib
 from mediagoblin.edit import forms
 from mediagoblin.edit.lib import may_edit_media
-from mediagoblin.decorators import require_active_login, get_user_media_entry, \
-    user_may_alter_collection, get_user_collection
+from mediagoblin.decorators import (require_active_login, active_user_from_url,
+     get_media_entry_by_id, 
+     get_user_media_entry,  user_may_alter_collection, get_user_collection)
 from mediagoblin.tools.response import render_to_response, redirect
 from mediagoblin.tools.translate import pass_to_ugettext as _
 from mediagoblin.tools.text import (
@@ -37,11 +38,11 @@ from mediagoblin.db.util import check_media_slug_used, check_collection_slug_use
 import mimetypes
 
 
-@get_user_media_entry
+@get_media_entry_by_id
 @require_active_login
 def edit_media(request, media):
     if not may_edit_media(request, media):
-        return exc.HTTPForbidden()
+        raise Forbidden("User may not edit this media")
 
     defaults = dict(
         title=media.title,
@@ -57,8 +58,8 @@ def edit_media(request, media):
     if request.method == 'POST' and form.validate():
         # Make sure there isn't already a MediaEntry with such a slug
         # and userid.
-        slug_used = check_media_slug_used(request.db, media.uploader,
-                request.form['slug'], media.id)
+        slug_used = check_media_slug_used(media.uploader, request.form['slug'],
+                                          media.id)
 
         if slug_used:
             form.slug.errors.append(
@@ -75,11 +76,11 @@ def edit_media(request, media):
 
             media.save()
 
-            return exc.HTTPFound(
-                location=media.url_for_self(request.urlgen))
+            return redirect(request,
+                            location=media.url_for_self(request.urlgen))
 
     if request.user.is_admin \
-            and media.uploader != request.user._id \
+            and media.uploader != request.user.id \
             and request.method != 'POST':
         messages.add_message(
             request, messages.WARNING,
@@ -130,7 +131,7 @@ def edit_attachments(request, media):
 
             attachment_public_filepath \
                 = mg_globals.public_store.get_unique_filepath(
-                ['media_entries', unicode(media._id), 'attachment',
+                ['media_entries', unicode(media.id), 'attachment',
                  public_filename])
 
             attachment_public_file = mg_globals.public_store.get_file(
@@ -153,34 +154,42 @@ def edit_attachments(request, media):
 
             messages.add_message(
                 request, messages.SUCCESS,
-                "You added the attachment %s!" \
+                _("You added the attachment %s!") \
                     % (request.form['attachment_name']
                        or request.files['attachment_file'].filename))
 
-            return exc.HTTPFound(
-                location=media.url_for_self(request.urlgen))
+            return redirect(request,
+                            location=media.url_for_self(request.urlgen))
         return render_to_response(
             request,
             'mediagoblin/edit/attachments.html',
             {'media': media,
              'form': form})
     else:
-        return exc.HTTPForbidden()
+        raise Forbidden("Attachments are disabled")
+
+@require_active_login
+def legacy_edit_profile(request):
+    """redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
+    username = request.GET.get('username') or request.user.username
+    return redirect(request, 'mediagoblin.edit.profile', user=username)
 
 
 @require_active_login
-def edit_profile(request):
-    # admins may edit any user profile given a username in the querystring
-    edit_username = request.GET.get('username')
-    if request.user.is_admin and request.user.username != edit_username:
-        user = request.db.User.find_one({'username': edit_username})
+@active_user_from_url
+def edit_profile(request, url_user=None):
+    # admins may edit any user profile
+    if request.user.username != url_user.username:
+        if not request.user.is_admin:
+            raise Forbidden(_("You can only edit your own profile."))
+
         # No need to warn again if admin just submitted an edited profile
         if request.method != 'POST':
             messages.add_message(
                 request, messages.WARNING,
                 _("You are editing a user's profile. Proceed with caution."))
-    else:
-        user = request.user
+
+    user = url_user
 
     form = forms.EditProfileForm(request.form,
         url=user.get('url'),
@@ -258,6 +267,37 @@ def edit_account(request):
 
 
 @require_active_login
+def delete_account(request):
+    """Delete a user completely"""
+    user = request.user
+    if request.method == 'POST':
+        if request.form.get(u'confirmed'):
+            # Form submitted and confirmed. Actually delete the user account
+            # Log out user and delete cookies etc.
+            # TODO: Should we be using MG.auth.views.py:logout for this?
+            request.session.delete()
+
+            # Delete user account and all related media files etc....
+            request.user.delete()
+
+            # We should send a message that the user has been deleted
+            # successfully. But we just deleted the session, so we
+            # can't...
+            return redirect(request, 'index')
+
+        else: # Did not check the confirmation box...
+            messages.add_message(
+                request, messages.WARNING,
+                _('You need to confirm the deletion of your account.'))
+
+    # No POST submission or not confirmed, just show page
+    return render_to_response(
+        request,
+        'mediagoblin/edit/delete_account.html',
+        {'user': user})
+
+
+@require_active_login
 @user_may_alter_collection
 @get_user_collection
 def edit_collection(request, collection):
@@ -278,7 +318,7 @@ def edit_collection(request, collection):
 
         # Make sure there isn't already a Collection with this title
         existing_collection = request.db.Collection.find_one({
-                'creator': request.user._id,
+                'creator': request.user.id,
                 'title':request.form['title']})
 
         if existing_collection and existing_collection.id != collection.id:
@@ -301,7 +341,7 @@ def edit_collection(request, collection):
                             collection=collection.slug)
 
     if request.user.is_admin \
-            and collection.creator != request.user._id \
+            and collection.creator != request.user.id \
             and request.method != 'POST':
         messages.add_message(
             request, messages.WARNING,