Merge pull request #2258 from bookwyrm-social/form-perms

Check permissions automatically on form save

bookwyrm/models/antispam.py

@@ -3,18 +3,33 @@ from functools import reduce
 import operator
 
 from django.apps import apps
+from django.core.exceptions import PermissionDenied
 from django.db import models, transaction
 from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 
 from bookwyrm.tasks import app
+from .base_model import BookWyrmModel
 from .user import User
 
 
-class EmailBlocklist(models.Model):
+class AdminModel(BookWyrmModel):
+    """Overrides the permissions methods"""
+
+    class Meta:
+        """this is just here to provide default fields for other models"""
+
+        abstract = True
+
+    def raise_not_editable(self, viewer):
+        if viewer.has_perm("bookwyrm.moderate_user"):
+            return
+        raise PermissionDenied()
+
+
+class EmailBlocklist(AdminModel):
     """blocked email addresses"""
 
-    created_date = models.DateTimeField(auto_now_add=True)
     domain = models.CharField(max_length=255, unique=True)
     is_active = models.BooleanField(default=True)
 
@@ -29,10 +44,9 @@ class EmailBlocklist(models.Model):
         return User.objects.filter(email__endswith=f"@{self.domain}")
 
 
-class IPBlocklist(models.Model):
+class IPBlocklist(AdminModel):
     """blocked ip addresses"""
 
-    created_date = models.DateTimeField(auto_now_add=True)
     address = models.CharField(max_length=255, unique=True)
     is_active = models.BooleanField(default=True)
 
@@ -42,7 +56,7 @@ class IPBlocklist(models.Model):
         ordering = ("-created_date",)
 
 
-class AutoMod(models.Model):
+class AutoMod(AdminModel):
     """rules to automatically flag suspicious activity"""
 
     string_match = models.CharField(max_length=200, unique=True)

bookwyrm/models/report.py

@@ -1,5 +1,7 @@
 """ flagged for moderation """
+from django.core.exceptions import PermissionDenied
 from django.db import models
+
 from bookwyrm.settings import DOMAIN
 from .base_model import BookWyrmModel
 
@@ -21,6 +23,12 @@ class Report(BookWyrmModel):
     links = models.ManyToManyField("Link", blank=True)
     resolved = models.BooleanField(default=False)
 
+    def raise_not_editable(self, viewer):
+        """instead of user being the owner field, it's reporter"""
+        if self.reporter == viewer or viewer.has_perm("bookwyrm.moderate_user"):
+            return
+        raise PermissionDenied()
+
     def get_remote_id(self):
         return f"https://{DOMAIN}/settings/reports/{self.id}"
 

bookwyrm/models/site.py

@@ -3,6 +3,7 @@ import datetime
 from urllib.parse import urljoin
 import uuid
 
+from django.core.exceptions import PermissionDenied
 from django.db import models, IntegrityError
 from django.dispatch import receiver
 from django.utils import timezone
@@ -15,7 +16,23 @@ from .user import User
 from .fields import get_absolute_url
 
 
-class SiteSettings(models.Model):
+class SiteModel(models.Model):
+    """we just need edit perms"""
+
+    class Meta:
+        """this is just here to provide default fields for other models"""
+
+        abstract = True
+
+    # pylint: disable=no-self-use
+    def raise_not_editable(self, viewer):
+        """Check if the user has the right permissions"""
+        if viewer.has_perm("bookwyrm.edit_instance_settings"):
+            return
+        raise PermissionDenied()
+
+
+class SiteSettings(SiteModel):
     """customized settings for this instance"""
 
     name = models.CharField(default="BookWyrm", max_length=100)
@@ -115,7 +132,7 @@ class SiteSettings(models.Model):
         super().save(*args, **kwargs)
 
 
-class Theme(models.Model):
+class Theme(SiteModel):
     """Theme files"""
 
     created_date = models.DateTimeField(auto_now_add=True)
@@ -138,6 +155,13 @@ class SiteInvite(models.Model):
     user = models.ForeignKey(User, on_delete=models.CASCADE)
     invitees = models.ManyToManyField(User, related_name="invitees")
 
+    # pylint: disable=no-self-use
+    def raise_not_editable(self, viewer):
+        """Admins only"""
+        if viewer.has_perm("bookwyrm.create_invites"):
+            return
+        raise PermissionDenied()
+
     def valid(self):
         """make sure it hasn't expired or been used"""
         return (self.expiry is None or self.expiry > timezone.now()) and (
@@ -161,6 +185,12 @@ class InviteRequest(BookWyrmModel):
     invite_sent = models.BooleanField(default=False)
     ignored = models.BooleanField(default=False)
 
+    def raise_not_editable(self, viewer):
+        """Only check perms on edit, not create"""
+        if not self.id or viewer.has_perm("bookwyrm.create_invites"):
+            return
+        raise PermissionDenied()
+
     def save(self, *args, **kwargs):
         """don't create a request for a registered email"""
         if not self.id and User.objects.filter(email=self.email).exists():

bookwyrm/models/user.py

@@ -5,6 +5,7 @@ from urllib.parse import urlparse
 from django.apps import apps
 from django.contrib.auth.models import AbstractUser, Group
 from django.contrib.postgres.fields import ArrayField, CICharField
+from django.core.exceptions import PermissionDenied
 from django.dispatch import receiver
 from django.db import models, transaction
 from django.utils import timezone
@@ -401,6 +402,12 @@ class User(OrderedCollectionPageMixin, AbstractUser):
                 editable=False,
             ).save(broadcast=False)
 
+    def raise_not_editable(self, viewer):
+        """Who can edit the user object?"""
+        if self == viewer or viewer.has_perm("bookwyrm.moderate_user"):
+            return
+        raise PermissionDenied()
+
 
 class KeyPair(ActivitypubMixin, BookWyrmModel):
     """public and private keys for a user"""