2019-12-03 20:32:01 +01:00
|
|
|
{% extends "base/base.html" %}
|
|
|
|
{% import "widgets/editor.html" as widget_editor %}
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
{% import "widgets/thread.html" as widget_thread with context %}
|
2020-07-21 18:45:06 +02:00
|
|
|
{% import "widgets/user.html" as widget_user %}
|
2019-12-07 16:34:39 +01:00
|
|
|
{% import "widgets/pagination.html" as widget_pagination with context %}
|
2019-12-03 20:32:01 +01:00
|
|
|
|
|
|
|
{% block title %}
|
2019-12-03 23:13:22 +01:00
|
|
|
<a href='/forum'>Forum de Planète Casio</a> » <a href="{{ url_for('forum_page', f=t.forum) }}">{{ t.forum.name }}</a> » <h1>{{ t.title }}</h1>
|
2019-12-03 20:32:01 +01:00
|
|
|
{% endblock %}
|
|
|
|
|
|
|
|
{% block content %}
|
|
|
|
<section>
|
|
|
|
<h1>{{ t.title }}</h1>
|
2020-10-31 15:33:29 +01:00
|
|
|
{{ widget_thread.thread([t.thread.top_comment], None) }}
|
2019-12-03 20:32:01 +01:00
|
|
|
|
2020-07-16 23:58:21 +02:00
|
|
|
{{ widget_pagination.paginate(comments, 'forum_topic', t, {'f': t.forum}) }}
|
2019-12-07 16:34:39 +01:00
|
|
|
|
2020-10-31 15:33:29 +01:00
|
|
|
{{ widget_thread.thread(comments.items, t.thread.top_comment) }}
|
2019-12-03 20:32:01 +01:00
|
|
|
|
2020-07-16 23:58:21 +02:00
|
|
|
{{ widget_pagination.paginate(comments, 'forum_topic', t, {'f': t.forum}) }}
|
2019-12-17 13:16:06 +01:00
|
|
|
|
2021-02-21 20:17:48 +01:00
|
|
|
{% if outdated %}
|
2021-01-12 16:40:52 +01:00
|
|
|
<div class="bg-warn">
|
2021-02-21 20:29:55 +01:00
|
|
|
Ce topic est sans activité depuis {{ outdated }} jours, êtes-vous sûr de vouloir y poster ?
|
2021-01-12 16:40:52 +01:00
|
|
|
</div>
|
|
|
|
{% endif %}
|
|
|
|
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
{% if V5Config.ENABLE_GUEST_POST
|
|
|
|
or (current_user.is_authenticated and current_user.can_post_in_forum(t.forum)) %}
|
2019-12-03 20:32:01 +01:00
|
|
|
<div class=form>
|
2020-09-26 11:56:07 +02:00
|
|
|
<h3>Commenter le sujet</h3>
|
2020-07-17 23:49:04 +02:00
|
|
|
<form action="" method="post" enctype="multipart/form-data">
|
2020-09-26 11:56:07 +02:00
|
|
|
{{ form.hidden_tag() }}
|
2019-12-03 20:32:01 +01:00
|
|
|
|
2020-07-17 23:49:04 +02:00
|
|
|
{% if form.pseudo %}
|
2021-07-10 12:29:52 +02:00
|
|
|
<div>
|
2020-07-17 23:49:04 +02:00
|
|
|
{{ form.pseudo.label }}
|
|
|
|
{{ form.pseudo }}
|
|
|
|
{% for error in form.pseudo.errors %}
|
2020-09-26 11:56:07 +02:00
|
|
|
<span class="msgerror">{{ error }}</span>
|
|
|
|
{% endfor %}
|
2021-07-10 12:29:52 +02:00
|
|
|
{{ form.ab }}
|
|
|
|
</div>
|
2020-07-17 23:49:04 +02:00
|
|
|
{% endif %}
|
|
|
|
|
2020-09-26 11:56:07 +02:00
|
|
|
{{ widget_editor.text_editor(form.message, label=False) }}
|
2019-12-03 20:32:01 +01:00
|
|
|
|
2021-07-08 16:47:39 +02:00
|
|
|
<div>
|
|
|
|
{{ form.attachments.label }}
|
|
|
|
<div>
|
|
|
|
{{ form.attachments }}
|
|
|
|
{% for error in form.attachments.errors %}
|
|
|
|
<span class="msgerror">{{ error }}</span>
|
|
|
|
{% endfor %}
|
|
|
|
</div>
|
|
|
|
</div>
|
2020-08-01 21:26:06 +02:00
|
|
|
|
2020-09-26 11:56:07 +02:00
|
|
|
<div>{{ form.submit(class_='bg-ok') }}</div>
|
|
|
|
</form>
|
|
|
|
</div>
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
{% endif %}
|
2019-12-03 20:32:01 +01:00
|
|
|
</section>
|
|
|
|
{% endblock %}
|