Adds permissions checking for admin models

2022-09-19 09:51:41 -07:00 · 2022-09-19 09:51:41 -07:00 · 330be16516
commit 330be16516
parent e51980bc12
5 changed files with 35 additions and 8 deletions
--- a/bookwyrm/forms/admin.py
+++ b/bookwyrm/forms/admin.py
@ -2,13 +2,14 @@
 import datetime

 from django import forms
+from django.core.exceptions import PermissionDenied
 from django.forms import widgets
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from django_celery_beat.models import IntervalSchedule

 from bookwyrm import models
-from .custom_form import CustomForm
+from .custom_form import CustomForm, StyledForm


 # pylint: disable=missing-class-docstring
@ -130,7 +131,7 @@ class AutoModRuleForm(CustomForm):
        fields = ["string_match", "flag_users", "flag_statuses", "created_by"]


-class IntervalScheduleForm(CustomForm):
+class IntervalScheduleForm(StyledForm):
    class Meta:
        model = IntervalSchedule
        fields = ["every", "period"]
@ -139,3 +140,9 @@ class IntervalScheduleForm(CustomForm):
            "every": forms.NumberInput(attrs={"aria-describedby": "desc_every"}),
            "period": forms.Select(attrs={"aria-describedby": "desc_period"}),
        }
+
+    def save(self, request, *args, **kwargs):
+        """This is an outside model so the perms check works differently"""
+        if not request.user.has_perm("bookwyrm.moderate_user"):
+            raise PermissionDenied()
+        return super().save(*args, **kwargs)
--- a/bookwyrm/forms/custom_form.py
+++ b/bookwyrm/forms/custom_form.py
@ -4,7 +4,7 @@ from django.forms import ModelForm
 from django.forms.widgets import Textarea


-class CustomForm(ModelForm):
+class StyledForm(ModelForm):
    """add css classes to the forms"""

    def __init__(self, *args, **kwargs):
@ -16,7 +16,7 @@ class CustomForm(ModelForm):
        css_classes["checkbox"] = "checkbox"
        css_classes["textarea"] = "textarea"
        # pylint: disable=super-with-arguments
-        super(CustomForm, self).__init__(*args, **kwargs)
+        super().__init__(*args, **kwargs)
        for visible in self.visible_fields():
            if hasattr(visible.field.widget, "input_type"):
                input_type = visible.field.widget.input_type
@ -25,6 +25,10 @@ class CustomForm(ModelForm):
                visible.field.widget.attrs["rows"] = 5
            visible.field.widget.attrs["class"] = css_classes[input_type]

+
+class CustomForm(StyledForm):
+    """Check permissions on save"""
+
    def save(self, request, *args, **kwargs):
        """Save and check perms"""
        self.instance.raise_not_editable(request.user)