3 files changed, 58 insertions, 28 deletions

diff --git a/mediagoblin/moderation/forms.py b/mediagoblin/moderation/forms.py
index 718cd8fa..a3202359 100644
--- a/mediagoblin/moderation/forms.py
+++ b/mediagoblin/moderation/forms.py
@@ -28,7 +28,7 @@ class MultiCheckboxField(wtforms.SelectMultipleField):
 
     Iterating the field will produce subfields, allowing custom rendering of
     the enclosed checkbox fields.
-    
+
     code from http://wtforms.simplecodes.com/docs/1.0.4/specific_problems.html
     """
     widget = wtforms.widgets.ListWidget(prefix_label=False)
@@ -40,7 +40,7 @@ class PrivilegeAddRemoveForm(wtforms.Form):
 
 class ReportResolutionForm(wtforms.Form):
     action_to_resolve = MultiCheckboxField(
-        _(u'What action will you take to resolve the report?'), 
+        _(u'What action will you take to resolve the report?'),
         validators=[wtforms.validators.optional()],
         choices=ACTION_CHOICES)
     targeted_user   = wtforms.HiddenField('',
diff --git a/mediagoblin/moderation/tools.py b/mediagoblin/moderation/tools.py
index b4daca15..d58df3a8 100644
--- a/mediagoblin/moderation/tools.py
+++ b/mediagoblin/moderation/tools.py
@@ -31,17 +31,15 @@ def take_punitive_actions(request, form, report, user):
         # punitive actions that a moderator could take.
         if u'takeaway' in form.action_to_resolve.data:
             for privilege_name in form.take_away_privileges.data:
-                privilege = Privilege.query.filter(
-                    Privilege.privilege_name==privilege_name).one()
+                take_away_privileges(user.username, privilege_name)
                 form.resolution_content.data += \
-                    u"<br>%s took away %s\'s %s privileges" % (
+                    u"<br>%s took away %s\'s %s privileges." % (
                         request.user.username,
                         user.username,
-                        privilege.privilege_name)
-                user.all_privileges.remove(privilege)
+                        privilege_name)
 
         # If the moderator elects to ban the user, a new instance of user_ban
-        # will be created.        
+        # will be created.
         if u'userban' in form.action_to_resolve.data:
             reason = form.resolution_content.data + \
                 "<br>"+request.user.username
@@ -51,7 +49,7 @@ def take_punitive_actions(request, form, report, user):
                 reason= form.why_user_was_banned.data
             )
             Session.add(user_ban)
-    
+
             if form.user_banned_until.data is not None:
                 form.resolution_content.data += \
                     u"<br>%s banned user %s until %s." % (
@@ -86,17 +84,17 @@ def take_punitive_actions(request, form, report, user):
                 deleted_comment = report.comment
                 Session.delete(deleted_comment)
                 form.resolution_content.data += \
-                    u"<br>%s deleted the comment" % (
+                    u"<br>%s deleted the comment." % (
                         request.user.username)
         elif u'delete' in form.action_to_resolve.data and \
-            report.is_media_entry_report():    
+            report.is_media_entry_report():
                 deleted_media = report.media_entry
                 Session.delete(deleted_media)
                 form.resolution_content.data += \
-                    u"<br>%s deleted the media entry" % (
-                        request.user.username)    
+                    u"<br>%s deleted the media entry." % (
+                        request.user.username)
 
-        # If the moderator didn't delete the content we then attach the 
+        # If the moderator didn't delete the content we then attach the
         # content to the archived report. We also have to actively delete the
         # old report, since it won't be deleted by cascading.
         elif report.is_comment_report():
@@ -133,3 +131,34 @@ def take_punitive_actions(request, form, report, user):
             request,
             'mediagoblin.moderation.reports_detail',
             report_id=report.id)
+
+def take_away_privileges(user,*privileges):
+    if len(privileges) == 1:
+        privilege = Privilege.query.filter(
+            Privilege.privilege_name==privileges[0]).first()
+        user = User.query.filter(
+            User.username==user).first()
+        if privilege in user.all_privileges:
+            user.all_privileges.remove(privilege)
+            return True
+        return False
+
+    elif len(privileges) > 1:
+        return (take_away_privileges(user, privileges[0]) and \
+            take_away_privileges(user, *privileges[1:]))
+
+def give_privileges(user,*privileges):
+    if len(privileges) == 1:
+        privilege = Privilege.query.filter(
+            Privilege.privilege_name==privileges[0]).first()
+        user = User.query.filter(
+            User.username==user).first()
+        if privilege not in user.all_privileges:
+            user.all_privileges.append(privilege)
+            return True
+        return False
+
+    elif len(privileges) > 1:
+        return (give_privileges(user, privileges[0]) and \
+            give_privileges(user, *privileges[1:]))
+
diff --git a/mediagoblin/moderation/views.py b/mediagoblin/moderation/views.py
index d82eca7d..b2223744 100644
--- a/mediagoblin/moderation/views.py
+++ b/mediagoblin/moderation/views.py
@@ -19,12 +19,12 @@ from werkzeug.exceptions import Forbidden
 from mediagoblin.db.models import (MediaEntry, User, MediaComment, \
                                    CommentReport, ReportBase, Privilege, \
                                    UserBan, ArchivedReport)
-from mediagoblin.db.util import user_privileges_to_dictionary
 from mediagoblin.decorators import (require_admin_or_moderator_login, \
-                                    active_user_from_url)
+                                    active_user_from_url, user_has_privilege)
 from mediagoblin.tools.response import render_to_response, redirect
 from mediagoblin.moderation import forms as moderation_forms
-from mediagoblin.moderation.tools import take_punitive_actions
+from mediagoblin.moderation.tools import (take_punitive_actions, \
+    take_away_privileges, give_privileges)
 from datetime import datetime
 
 @require_admin_or_moderator_login
@@ -86,7 +86,7 @@ def moderation_users_detail(request):
 @require_admin_or_moderator_login
 def moderation_reports_panel(request):
     '''
-    Show the global panel for monitoring reports filed against comments or 
+    Show the global panel for monitoring reports filed against comments or
         media entries for this instance.
     '''
     report_list = ReportBase.query.filter(
@@ -115,7 +115,7 @@ def moderation_reports_detail(request):
 
     form.take_away_privileges.choices = [
         (s.privilege_name,s.privilege_name.title()) \
-            for s in report.reported_user.all_privileges 
+            for s in report.reported_user.all_privileges
     ]
 
     if request.method == "POST" and form.validate() and not (
@@ -134,7 +134,7 @@ def moderation_reports_detail(request):
         {'report':report,
          'form':form})
 
-@require_admin_or_moderator_login
+@user_has_privilege(u'admin')
 @active_user_from_url
 def give_or_take_away_privilege(request, url_user):
     '''
@@ -144,12 +144,13 @@ def give_or_take_away_privilege(request, url_user):
     if request.method == "POST" and form.validate():
         privilege = Privilege.query.filter(
             Privilege.privilege_name==form.privilege_name.data).one()
-        if privilege in url_user.all_privileges:
-            url_user.all_privileges.remove(privilege)
-        else:      
-            url_user.all_privileges.append(privilege)
+        if not take_away_privileges(
+            url_user.username, form.privilege_name.data):
+
+            give_privileges(url_user.username, form.privilege_name.data)
         url_user.save()
-        return redirect(
-            request,
-            'mediagoblin.moderation.users_detail',
-            user=url_user.username)
+
+    return redirect(
+        request,
+        'mediagoblin.moderation.users_detail',
+        user=url_user.username)