fix permissions

This commit is contained in:
Kostiantyn Stoliarskyi 2023-05-09 17:45:48 +03:00
parent 950224926a
commit 1d424903bf
2 changed files with 8 additions and 6 deletions

View File

@ -68,6 +68,7 @@
</div> </div>
<div id="accordion-collapse" data-accordion="collapse" class="flex mt-auto align-center justify-between space-x-3"> <div id="accordion-collapse" data-accordion="collapse" class="flex mt-auto align-center justify-between space-x-3">
<div>Commented by <span class="text-blue-500">{{comment.user.username}}</span> on {{comment.created_at.strftime('%B %d, %Y')}}{% if comment.edited %}<i class="text-green-200"> edited</i>{% endif %}</div> <div>Commented by <span class="text-blue-500">{{comment.user.username}}</span> on {{comment.created_at.strftime('%B %d, %Y')}}{% if comment.edited %}<i class="text-green-200"> edited</i>{% endif %}</div>
{% if comment.user_id == current_user.id %}
<div class="flex ml-auto justify-between w-24"> <div class="flex ml-auto justify-between w-24">
<div class="relative"> <div class="relative">
<button id="edit_comment_btn" data-popover-target="popover-edit" data-edit-comment-id="{{comment.id}}" data-edit-comment-text="{{comment.text}}" type="button" data-modal-target="edit_comment_modal" data-modal-toggle="edit_comment_modal" class="space-x-0.5 flex items-center"> <button id="edit_comment_btn" data-popover-target="popover-edit" data-edit-comment-id="{{comment.id}}" data-edit-comment-text="{{comment.text}}" type="button" data-modal-target="edit_comment_modal" data-modal-toggle="edit_comment_modal" class="space-x-0.5 flex items-center">
@ -100,6 +101,7 @@
<div data-popper-arrow></div> <div data-popper-arrow></div>
</div> </div>
</div></div> </div></div>
{% endif %}
</dt> </dt>
</div> </div>

View File

@ -1129,14 +1129,14 @@ def interpretation_delete(
@bp.route( @bp.route(
"/<int:book_id>/<int:collection_id>/<int:section_id>/<int:interpretation_id>/preview", "/<int:book_id>/<int:collection_id>/<int:section_id>/<int:interpretation_id>/preview",
methods=["GET", "POST"], methods=["GET"],
) )
@bp.route( @bp.route(
( (
"/<int:book_id>/<int:collection_id>/<int:sub_collection_id>/" "/<int:book_id>/<int:collection_id>/<int:sub_collection_id>/"
"<int:section_id>/<int:interpretation_id>/preview" "<int:section_id>/<int:interpretation_id>/preview"
), ),
methods=["GET", "POST"], methods=["GET"],
) )
@login_required @login_required
def qa_view( def qa_view(
@ -1147,7 +1147,7 @@ def qa_view(
sub_collection_id: int | None = None, sub_collection_id: int | None = None,
): ):
book: m.Book = db.session.get(m.Book, book_id) book: m.Book = db.session.get(m.Book, book_id)
if not book or book.owner != current_user or book.is_deleted: if not book or book.is_deleted:
log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book) log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book)
flash("You are not owner of this book!", "danger") flash("You are not owner of this book!", "danger")
return redirect(url_for("book.my_books")) return redirect(url_for("book.my_books"))
@ -1232,7 +1232,7 @@ def create_comment(
sub_collection_id: int | None = None, sub_collection_id: int | None = None,
): ):
book: m.Book = db.session.get(m.Book, book_id) book: m.Book = db.session.get(m.Book, book_id)
if not book or book.owner != current_user or book.is_deleted: if not book or book.is_deleted:
log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book) log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book)
flash("You are not owner of this book!", "danger") flash("You are not owner of this book!", "danger")
return redirect(url_for("book.my_books")) return redirect(url_for("book.my_books"))
@ -1343,7 +1343,7 @@ def comment_delete(
): ):
book: m.Book = db.session.get(m.Book, book_id) book: m.Book = db.session.get(m.Book, book_id)
if not book or book.owner != current_user or book.is_deleted: if not book or book.is_deleted:
log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book) log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book)
flash("You are not owner of this book!", "danger") flash("You are not owner of this book!", "danger")
return redirect(url_for("book.my_books")) return redirect(url_for("book.my_books"))
@ -1438,7 +1438,7 @@ def comment_edit(
): ):
book: m.Book = db.session.get(m.Book, book_id) book: m.Book = db.session.get(m.Book, book_id)
if not book or book.owner != current_user or book.is_deleted: if not book or book.is_deleted:
log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book) log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book)
flash("You are not owner of this book!", "danger") flash("You are not owner of this book!", "danger")
return redirect(url_for("book.my_books")) return redirect(url_for("book.my_books"))