From 7fb2f3170c067e7869bfb19f29da5f4d41762f34 Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Wed, 15 Jul 2020 19:54:33 +0100
Subject: [PATCH] Allow Editors to edit tags

---
 app/blueprints/admin/tagseditor.py | 16 +++++++++++++---
 app/models.py                      | 13 +++++++++++++
 app/template_filters.py            | 10 ++++++----
 app/templates/base.html            | 15 +++++++++++----
 4 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/app/blueprints/admin/tagseditor.py b/app/blueprints/admin/tagseditor.py
index 70328bd..39d69e8 100644
--- a/app/blueprints/admin/tagseditor.py
+++ b/app/blueprints/admin/tagseditor.py
@@ -25,8 +25,11 @@ from wtforms.validators import *
 from app.utils import rank_required
 
 @bp.route("/tags/")
-@rank_required(UserRank.MODERATOR)
+@login_required
 def tag_list():
+	if not Permission.EDIT_TAGS.check(current_user):
+		abort(403)
+
 	return render_template("admin/tags/list.html", tags=Tag.query.order_by(db.asc(Tag.title)).all())
 
 class TagForm(FlaskForm):
@@ -36,7 +39,7 @@ class TagForm(FlaskForm):
 
 @bp.route("/tags/new/", methods=["GET", "POST"])
 @bp.route("/tags/<name>/edit/", methods=["GET", "POST"])
-@rank_required(UserRank.MODERATOR)
+@login_required
 def create_edit_tag(name=None):
 	tag = None
 	if name is not None:
@@ -44,6 +47,9 @@ def create_edit_tag(name=None):
 		if tag is None:
 			abort(404)
 
+	if not Permission.checkPerm(current_user, Permission.EDIT_TAGS if tag else Permission.CREATE_TAG):
+		abort(403)
+
 	form = TagForm(formdata=request.form, obj=tag)
 	if request.method == "POST" and form.validate():
 		if tag is None:
@@ -52,6 +58,10 @@ def create_edit_tag(name=None):
 		else:
 			form.populate_obj(tag)
 		db.session.commit()
-		return redirect(url_for("admin.create_edit_tag", name=tag.name))
+
+		if Permission.EDIT_TAGS.check(current_user):
+			return redirect(url_for("admin.create_edit_tag", name=tag.name))
+		else:
+			return redirect(url_for("homepage.home"))
 
 	return render_template("admin/tags/edit.html", tag=tag, form=form)
diff --git a/app/models.py b/app/models.py
index 711d9fd..e6ff6f0 100644
--- a/app/models.py
+++ b/app/models.py
@@ -84,6 +84,8 @@ class Permission(enum.Enum):
 	APPROVE_SCREENSHOT = "APPROVE_SCREENSHOT"
 	APPROVE_RELEASE    = "APPROVE_RELEASE"
 	APPROVE_NEW        = "APPROVE_NEW"
+	EDIT_TAGS          = "EDIT_TAGS"
+	CREATE_TAG         = "CREATE_TAG"
 	CHANGE_RELEASE_URL = "CHANGE_RELEASE_URL"
 	CHANGE_USERNAMES   = "CHANGE_USERNAMES"
 	CHANGE_RANK        = "CHANGE_RANK"
@@ -111,11 +113,22 @@ class Permission(enum.Enum):
 				self == Permission.APPROVE_CHANGES    or \
 				self == Permission.APPROVE_RELEASE    or \
 				self == Permission.APPROVE_SCREENSHOT or \
+				self == Permission.EDIT_TAGS or \
+				self == Permission.CREATE_TAG or \
 				self == Permission.SEE_THREAD:
 			return user.rank.atLeast(UserRank.EDITOR)
 		else:
 			raise Exception("Non-global permission checked globally. Use Package.checkPerm or User.checkPerm instead.")
 
+	@staticmethod
+	def checkPerm(user, perm):
+		if type(perm) == str:
+			perm = Permission[perm]
+		elif type(perm) != Permission:
+			raise Exception("Unknown permission given to Permission.check")
+
+		return perm.check(user)
+
 def display_name_default(context):
     return context.get_current_parameters()["username"]
 
diff --git a/app/template_filters.py b/app/template_filters.py
index 14a10c6..574c1b1 100644
--- a/app/template_filters.py
+++ b/app/template_filters.py
@@ -1,14 +1,16 @@
 from . import app
+from .models import Permission
 from .utils import abs_url_for, url_set_query
 from urllib.parse import urlparse
 
 @app.context_processor
 def inject_debug():
-    return dict(debug=app.debug)
+	return dict(debug=app.debug)
 
 @app.context_processor
 def inject_functions():
-    return dict(abs_url_for=abs_url_for, url_set_query=url_set_query)
+	check_global_perm = Permission.checkPerm
+	return dict(abs_url_for=abs_url_for, url_set_query=url_set_query, check_global_perm=check_global_perm)
 
 @app.template_filter()
 def throw(err):
@@ -20,8 +22,8 @@ def domain(url):
 
 @app.template_filter()
 def date(value):
-    return value.strftime("%Y-%m-%d")
+	return value.strftime("%Y-%m-%d")
 
 @app.template_filter()
 def datetime(value):
-    return value.strftime("%Y-%m-%d %H:%M") + " UTC"
+	return value.strftime("%Y-%m-%d %H:%M") + " UTC"
diff --git a/app/templates/base.html b/app/templates/base.html
index 67d8351..c9be4a2 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -92,15 +92,22 @@
 								<li class="nav-item">
 									<a class="nav-link" href="{{ url_for('todo.topics') }}">{{ _("All unadded topics") }}</a>
 								</li>
+
 								{% if current_user.rank.atLeast(current_user.rank.MODERATOR) %}
 									<li class="nav-item"><a class="nav-link" href="{{ url_for('admin.audit') }}">{{ _("Audit Log") }}</a></li>
 								{% endif %}
+
 								{% if current_user.rank == current_user.rank.ADMIN %}
 									<li class="nav-item"><a class="nav-link" href="{{ url_for('admin.admin_page') }}">{{ _("Admin") }}</a></li>
-								{% endif %}
-								{% if current_user.rank == current_user.rank.MODERATOR %}
-									<li class="nav-item"><a class="nav-link" href="{{ url_for('admin.tag_list') }}">{{ _("Tag Editor") }}</a></li>
-									<li class="nav-item"><a class="nav-link" href="{{ url_for('admin.license_list') }}">{{ _("License Editor") }}</a></li>
+								{% else %}
+									{% if check_global_perm(current_user, "EDIT_TAGS") %}
+										<li class="nav-item"><a class="nav-link" href="{{ url_for('admin.tag_list') }}">{{ _("Tag Editor") }}</a></li>
+									{% elif check_global_perm(current_user, "CREATE_TAG") %}
+										<li class="nav-item"><a class="nav-link" href="{{ url_for('admin.create_edit_tag') }}">{{ _("Create Tag") }}</a></li>
+									{% endif %}
+									{% if current_user.rank == current_user.rank.MODERATOR %}
+										<li class="nav-item"><a class="nav-link" href="{{ url_for('admin.license_list') }}">{{ _("License Editor") }}</a></li>
+									{% endif %}
 								{% endif %}
 								<li class="nav-item"><a class="nav-link" href="{{ url_for('user.logout') }}">{{ _("Sign out") }}</a></li>
 							</ul>
-- 
2.44.0