aboutsummaryrefslogtreecommitdiffstats
path: root/mediagoblin/user_pages/views.py
diff options
context:
space:
mode:
Diffstat (limited to 'mediagoblin/user_pages/views.py')
-rw-r--r--mediagoblin/user_pages/views.py26
1 files changed, 22 insertions, 4 deletions
diff --git a/mediagoblin/user_pages/views.py b/mediagoblin/user_pages/views.py
index 64fa793e..c0553b18 100644
--- a/mediagoblin/user_pages/views.py
+++ b/mediagoblin/user_pages/views.py
@@ -286,11 +286,29 @@ def media_collect(request, media):
#TODO: Why does @user_may_delete_media not implicate @require_active_login?
-@get_media_entry_by_id
-@require_active_login
-@user_may_delete_media
-def media_confirm_delete(request, media):
+@require_active_login
+def media_confirm_delete(request):
+
+ allowed_state = [u'failed', u'processed']
+ media = None
+ for media_state in allowed_state:
+ media = request.db.MediaEntry.query.filter_by(id=request.matchdict['media_id'], state=media_state).first()
+ if media:
+ break
+
+ if not media:
+ return render_404(request)
+
+ given_username = request.matchdict.get('user')
+ if given_username and (given_username != media.get_uploader.username):
+ return render_404(request)
+
+ uploader_id = media.uploader
+ if not (request.user.is_admin or
+ request.user.id == uploader_id):
+ raise Forbidden()
+
form = user_forms.ConfirmDeleteForm(request.form)
if request.method == 'POST' and form.validate():
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 19:54:46 +0000