flash("Cannot delete thread opening post!", "danger")
return redirect(thread.getViewURL())
- if not thread.checkPerm(current_user, Permission.DELETE_REPLY):
+ if not reply.checkPerm(current_user, Permission.DELETE_REPLY):
abort(403)
if request.method == "GET":
def checkPerm(self, user, perm):
if not user.is_authenticated:
- return not self.private
+ return perm == Permission.SEE_THREAD and not self.private
if type(perm) == str:
perm = Permission[perm]
elif perm == Permission.COMMENT_THREAD:
return canSee and (not self.locked or user.rank.atLeast(UserRank.MODERATOR))
- elif perm == Permission.LOCK_THREAD or perm == Permission.DELETE_REPLY:
+ elif perm == Permission.LOCK_THREAD:
return user.rank.atLeast(UserRank.MODERATOR)
else:
author_id = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
+ def checkPerm(self, user, perm):
+ if not user.is_authenticated:
+ return False
+
+ if type(perm) == str:
+ perm = Permission[perm]
+ elif type(perm) != Permission:
+ raise Exception("Unknown permission given to ThreadReply.checkPerm()")
+
+ if perm == Permission.DELETE_REPLY:
+ return user.rank.atLeast(UserRank.MODERATOR) and self.thread.replies[0] != self
+
+ else:
+ raise Exception("Permission {} is not related to threads".format(perm.name))
+
class PackageReview(db.Model):
id = db.Column(db.Integer, primary_key=True)
</div>
<div class="card-body">
- {% if r != thread.replies[0] and thread.checkPerm(current_user, "DELETE_REPLY") %}
+ {% if r.checkPerm(current_user, "DELETE_REPLY") %}
<a class="float-right btn btn-secondary btn-sm"
href="{{ url_for('threads.delete_reply', id=thread.id, reply=r.id) }}">
<i class="fas fa-trash"></i>