2020-08-01 17:25:08 +02:00
|
|
|
from app import app, db
|
2021-07-11 11:00:24 +02:00
|
|
|
from app.models.user import Member
|
2020-08-01 17:25:08 +02:00
|
|
|
from app.models.post import Post
|
2021-07-12 19:06:23 +02:00
|
|
|
from app.models.comment import Comment
|
2021-07-08 16:47:39 +02:00
|
|
|
from app.models.attachment import Attachment
|
2021-07-12 17:49:54 +02:00
|
|
|
from app.models.topic import Topic
|
|
|
|
|
from app.models.program import Program
|
2020-08-01 17:25:08 +02:00
|
|
|
from app.utils.render import render
|
2020-09-26 14:55:55 +02:00
|
|
|
from app.utils.check_csrf import check_csrf
|
2021-07-12 19:06:23 +02:00
|
|
|
from app.forms.forum import CommentEditForm, AnonymousCommentEditForm, TopicEditForm
|
2021-07-08 16:47:39 +02:00
|
|
|
from wtforms import BooleanField
|
2020-09-24 23:25:25 +02:00
|
|
|
from urllib.parse import urlparse
|
|
|
|
|
from flask import redirect, url_for, abort, request
|
2020-08-01 17:25:08 +02:00
|
|
|
from flask_login import login_required, current_user
|
|
|
|
|
|
|
|
|
|
@app.route('/post/<int:postid>', methods=['GET','POST'])
|
|
|
|
|
@login_required
|
|
|
|
|
def edit_post(postid):
|
2020-09-24 23:25:25 +02:00
|
|
|
# TODO: Maybe not safe
|
|
|
|
|
referrer = urlparse(request.args.get('r', default = '/', type = str)).path
|
|
|
|
|
print(referrer)
|
|
|
|
|
|
2020-08-01 17:25:08 +02:00
|
|
|
p = Post.query.filter_by(id=postid).first_or_404()
|
|
|
|
|
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
# Check permissions. TODO: Allow guests to edit their posts
|
|
|
|
|
if current_user.is_anonymous or not current_user.can_edit_post(p):
|
2020-08-01 17:25:08 +02:00
|
|
|
abort(403)
|
|
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
if isinstance(p, Comment):
|
|
|
|
|
base = CommentEditForm
|
|
|
|
|
comment = p
|
|
|
|
|
elif isinstance(p, Topic):
|
|
|
|
|
base = TopicEditForm
|
|
|
|
|
comment = p.thread.top_comment
|
|
|
|
|
else:
|
|
|
|
|
abort(404)
|
|
|
|
|
|
|
|
|
|
class TheForm(base):
|
|
|
|
|
pass
|
|
|
|
|
for a in comment.attachments:
|
|
|
|
|
setattr(TheForm, f'a{a.id}', BooleanField(f'a{a.id}'))
|
|
|
|
|
setattr(TheForm, 'attachment_list',
|
|
|
|
|
{ f'a{a.id}': a for a in comment.attachments })
|
|
|
|
|
form = TheForm()
|
|
|
|
|
|
|
|
|
|
if form.validate_on_submit():
|
|
|
|
|
comment.text = form.message.data
|
2020-08-01 17:25:08 +02:00
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
# Remove attachments
|
|
|
|
|
for id, a in form.attachment_list.items():
|
|
|
|
|
if form[id].data:
|
|
|
|
|
a.delete()
|
2020-08-01 17:25:08 +02:00
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
# Add new attachments
|
|
|
|
|
attachments = []
|
|
|
|
|
for file in form.attachments.data:
|
|
|
|
|
if file.filename != "":
|
|
|
|
|
a = Attachment(file, comment)
|
|
|
|
|
attachments.append((a, file))
|
|
|
|
|
db.session.add(a)
|
2020-08-01 17:25:08 +02:00
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
db.session.add(comment)
|
2021-07-08 16:47:39 +02:00
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
if isinstance(p, Topic):
|
|
|
|
|
p.title = form.title.data
|
2021-07-08 16:47:39 +02:00
|
|
|
db.session.add(p)
|
|
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
db.session.commit()
|
2021-07-08 16:47:39 +02:00
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
for a, file in attachments:
|
|
|
|
|
a.set_file(file)
|
2020-08-01 17:25:08 +02:00
|
|
|
|
2021-07-12 19:06:23 +02:00
|
|
|
return redirect(referrer)
|
|
|
|
|
|
|
|
|
|
# Non-submitted form
|
|
|
|
|
if isinstance(p, Comment):
|
2020-08-01 17:25:08 +02:00
|
|
|
form.message.data = p.text
|
|
|
|
|
return render('forum/edit_comment.html', comment=p, form=form)
|
2021-07-12 19:06:23 +02:00
|
|
|
elif isinstance(p, Topic):
|
|
|
|
|
form.message.data = p.thread.top_comment.text
|
|
|
|
|
form.title.data = p.title
|
|
|
|
|
return render('forum/edit_topic.html', t=p, form=form)
|
2020-09-26 14:55:55 +02:00
|
|
|
|
|
|
|
|
@app.route('/post/supprimer/<int:postid>', methods=['GET','POST'])
|
|
|
|
|
@login_required
|
|
|
|
|
@check_csrf
|
|
|
|
|
def delete_post(postid):
|
2021-07-12 18:30:31 +02:00
|
|
|
next_page = request.referrer
|
2020-09-26 14:55:55 +02:00
|
|
|
p = Post.query.filter_by(id=postid).first_or_404()
|
2021-07-12 20:05:32 +02:00
|
|
|
xp = -1
|
2020-09-26 14:55:55 +02:00
|
|
|
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
if current_user.is_anonymous or not current_user.can_delete_post(p):
|
2020-09-26 14:55:55 +02:00
|
|
|
abort(403)
|
|
|
|
|
|
2021-07-12 20:39:44 +02:00
|
|
|
# Users who need to have their trophies updated
|
|
|
|
|
authors = set()
|
|
|
|
|
|
2021-07-12 18:30:31 +02:00
|
|
|
# When deleting topics, return to forum page
|
|
|
|
|
if isinstance(p, Topic):
|
|
|
|
|
next_page = url_for('forum_page', f=p.forum)
|
2021-07-12 20:05:32 +02:00
|
|
|
xp = -2
|
2021-07-12 18:30:31 +02:00
|
|
|
|
2021-07-12 20:39:44 +02:00
|
|
|
for comment in p.thread.comments:
|
|
|
|
|
if isinstance(comment.author, Member):
|
|
|
|
|
comment.author.add_xp(-1)
|
|
|
|
|
db.session.merge(comment.author)
|
|
|
|
|
authors.add(comment.author)
|
|
|
|
|
|
2021-07-11 11:00:24 +02:00
|
|
|
if isinstance(p.author, Member):
|
2021-07-12 20:05:32 +02:00
|
|
|
factor = 3 if request.args.get('penalty') == 'True' else 1
|
|
|
|
|
p.author.add_xp(xp * factor)
|
2021-07-12 20:39:44 +02:00
|
|
|
db.session.merge(p.author)
|
|
|
|
|
authors.add(p.author)
|
2021-07-11 11:00:24 +02:00
|
|
|
|
2021-07-07 21:23:35 +02:00
|
|
|
p.delete()
|
2020-09-26 14:55:55 +02:00
|
|
|
db.session.commit()
|
2021-07-12 20:39:44 +02:00
|
|
|
|
|
|
|
|
for author in authors:
|
|
|
|
|
author.update_trophies("new-post")
|
|
|
|
|
|
2021-07-12 18:30:31 +02:00
|
|
|
return redirect(next_page)
|
2021-07-12 17:49:54 +02:00
|
|
|
|
|
|
|
|
@app.route('/post/entete/<int:postid>', methods=['GET'])
|
|
|
|
|
@login_required
|
|
|
|
|
@check_csrf
|
|
|
|
|
def set_post_topcomment(postid):
|
|
|
|
|
comment = Post.query.filter_by(id=postid).first_or_404()
|
|
|
|
|
|
|
|
|
|
if current_user.can_set_topcomment(comment):
|
|
|
|
|
comment.thread.top_comment = comment
|
|
|
|
|
db.session.add(comment.thread)
|
|
|
|
|
db.session.commit()
|
|
|
|
|
|
|
|
|
|
return redirect(request.referrer)
|
