Merge branch 'main' into groups-merge-test

Big merge of a couple of weeks' work from the main project back into this branch. :ohno:
2021-10-03 10:49:38 +11:00 · 2021-10-03 10:49:38 +11:00 · 602664b8d7
commit 602664b8d7
parent f39887cf7f a36bbaf809
231 changed files with 8983 additions and 7361 deletions
--- a/bookwyrm/models/base_model.py
+++ b/bookwyrm/models/base_model.py
@ -1,8 +1,11 @@
 """ base model with default fields """
 import base64
 from Crypto import Random
+
+from django.core.exceptions import PermissionDenied
 from django.db import models
 from django.dispatch import receiver
+from django.http import Http404
 from django.utils.translation import gettext_lazy as _

 from bookwyrm.settings import DOMAIN
@ -48,26 +51,26 @@ class BookWyrmModel(models.Model):
        """how to link to this object in the local app"""
        return self.get_remote_id().replace(f"https://{DOMAIN}", "")

-    def visible_to_user(self, viewer):
+    def raise_visible_to_user(self, viewer):
        """is a user authorized to view an object?"""
        # make sure this is an object with privacy owned by a user
        if not hasattr(self, "user") or not hasattr(self, "privacy"):
-            return None
+            return

        # viewer can't see it if the object's owner blocked them
        if viewer in self.user.blocks.all():
-            return False
+            raise Http404()

        # you can see your own posts and any public or unlisted posts
        if viewer == self.user or self.privacy in ["public", "unlisted"]:
-            return True
+            return

        # you can see the followers only posts of people you follow
        if (
            self.privacy == "followers"
            and self.user.followers.filter(id=viewer.id).first()
        ):
-            return True
+            return

        # you can see dms you are tagged in
        if hasattr(self, "mention_users"):
@ -75,6 +78,7 @@ class BookWyrmModel(models.Model):
                self.privacy == "direct"
                and self.mention_users.filter(id=viewer.id).first()
            ):
+
                return True

        # you can see groups of which you are a member
@ -89,7 +93,31 @@ class BookWyrmModel(models.Model):
            ):
                return True

-        return False
+        raise Http404()
+
+    def raise_not_editable(self, viewer):
+        """does this user have permission to edit this object? liable to be overwritten
+        by models that inherit this base model class"""
+        if not hasattr(self, "user"):
+            return
+
+        # generally moderators shouldn't be able to edit other people's stuff
+        if self.user == viewer:
+            return
+
+        raise PermissionDenied()
+
+    def raise_not_deletable(self, viewer):
+        """does this user have permission to delete this object? liable to be
+        overwritten by models that inherit this base model class"""
+        if not hasattr(self, "user"):
+            return
+
+        # but generally moderators can delete other people's stuff
+        if self.user == viewer or viewer.has_perm("moderate_post"):
+            return
+
+        raise PermissionDenied()


@receiver(models.signals.post_save)