2020-09-26 11:56:07 +02:00
|
|
|
{% import "widgets/user.html" as widget_user %}
|
|
|
|
{% import "widgets/attachments.html" as widget_attachments %}
|
|
|
|
|
2020-10-31 15:33:29 +01:00
|
|
|
{% macro thread(comments, top_comment) %}
|
|
|
|
<table class="thread {{ 'topcomment' if top_comment == None else ''}} ">
|
|
|
|
{% for c in comments %}
|
2020-09-26 11:56:07 +02:00
|
|
|
<tr id="{{ c.id }}">
|
|
|
|
{% if c != top_comment %}
|
|
|
|
<td class="author">{{ widget_user.profile(c.author) }}</td>
|
2021-03-05 13:52:55 +01:00
|
|
|
<td class="message">
|
2020-10-31 15:15:44 +01:00
|
|
|
<div class="info">
|
2021-07-10 17:54:07 +02:00
|
|
|
<div>Posté le {{ c.date_created|dyndate }}</div>
|
2020-10-31 15:15:44 +01:00
|
|
|
{% if c.date_created != c.date_modified %}
|
2021-07-10 17:54:07 +02:00
|
|
|
<div>Modifié le {{ c.date_modified|dyndate }}</div>
|
2020-10-31 15:15:44 +01:00
|
|
|
{% endif %}
|
2021-02-20 19:30:18 +01:00
|
|
|
<div><a href="{{ request.path }}#{{ c.id }}">Permalien</a></div>
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
{# TODO: Let guests edit their posts #}
|
|
|
|
{% if current_user.is_authenticated and current_user.can_edit_post(c) %}
|
|
|
|
<div><a href="{{ url_for('edit_post', postid=c.id, r=request.path) }}">Modifier</a></div>
|
|
|
|
{% endif %}
|
|
|
|
{% if current_user.is_authenticated and current_user.can_delete_post(c) %}
|
|
|
|
<div><a href="{{ url_for('delete_post', postid=c.id, csrf_token=csrf_token()) }}" onclick="return confirm('Le message sera supprimé')">Supprimer</a></div>
|
|
|
|
{% endif %}
|
2020-09-26 11:56:07 +02:00
|
|
|
</div>
|
2020-09-26 12:31:17 +02:00
|
|
|
|
2020-09-26 11:56:07 +02:00
|
|
|
{{ c.text|md }}
|
2020-09-26 12:31:17 +02:00
|
|
|
|
2020-09-26 11:56:07 +02:00
|
|
|
{{ widget_attachments.attachments(c) }}
|
2020-09-26 12:31:17 +02:00
|
|
|
|
2021-02-21 12:15:29 +01:00
|
|
|
{% if c.author.signature %}
|
|
|
|
<hr class="signature">
|
2020-10-31 10:11:07 +01:00
|
|
|
{{ c.author.signature|md }}
|
|
|
|
{% endif %}
|
2020-11-01 15:59:07 +01:00
|
|
|
</td>
|
2020-09-26 11:56:07 +02:00
|
|
|
{% elif loop.index0 != 0 %}
|
|
|
|
<div>Ce message est le top comment</div>
|
|
|
|
{% endif %}
|
|
|
|
</tr>
|
|
|
|
{% endfor %}
|
|
|
|
</table>
|
|
|
|
{% endmacro %}
|