From a41edc1483912d218df45c44dcddaf9cbb869a31 Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Sun, 20 Dec 2020 11:31:34 +0100
Subject: [PATCH] Fix permissions for profile transitions
---
hiboo/account/templates/account_profiles.html | 2 +-
hiboo/models.py | 4 ++--
hiboo/profile/templates/profile_details.html | 4 ++--
hiboo/profile/views.py | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/hiboo/account/templates/account_profiles.html b/hiboo/account/templates/account_profiles.html
index 5166bb1..3084397 100644
--- a/hiboo/account/templates/account_profiles.html
+++ b/hiboo/account/templates/account_profiles.html
@@ -42,7 +42,7 @@
</a>
</li>
{% endif %}
- {% if "delete" in profile.transitions() %}
+ {% if "delete" in profile.transitions(current_user) %}
<li><a href="{{ url_for("profile.start_transition", profile_uuid=profile.uuid, transition="delete") }}"><i class="fa fa-trash"></i> {% trans %}Delete this profile{% endtrans %}</a></li>
{% endif %}
</ul>
diff --git a/hiboo/models.py b/hiboo/models.py
index 0c49c77..ec22bac 100644
--- a/hiboo/models.py
+++ b/hiboo/models.py
@@ -234,11 +234,11 @@ class Profile(db.Model):
user_uuid=user.uuid,
).filter(cls.status.in_((cls.ACTIVE, cls.BLOCKED, cls.REQUEST)))
- def transitions(self, is_admin=False):
+ def transitions(self, actor):
return {
name: transition for name, transition in Profile.TRANSITIONS.items()
if transition[0] == self.status and not self.transition_step
- and (is_admin or not transition[3])
+ and (actor.is_admin or (self.uuid == actor.uuid and not transition[3]))
}
def transition_delta(self, formatted=False):
diff --git a/hiboo/profile/templates/profile_details.html b/hiboo/profile/templates/profile_details.html
index 03e2ed2..652d979 100644
--- a/hiboo/profile/templates/profile_details.html
+++ b/hiboo/profile/templates/profile_details.html
@@ -34,7 +34,7 @@
</div>
<div class="box-body">
<dl class="dl-horizontal">
- {% for transition, (_, _, _, _, label) in profile.transitions().items() %}
+ {% for transition, (_, _, _, _, label) in profile.transitions(current_user).items() %}
<dt><a href="{{ url_for("profile.start_transition", profile_uuid=profile.uuid, transition=transition) }}">{{ label | capitalize }}</a></dt>
<dd>{{ label | capitalize }} {% trans %}the profile{% endtrans %}</dd>
{% endfor %}
@@ -57,7 +57,7 @@
{% endblock %}
{% block actions %}
-{% for transition, (_, _, _, _, label) in profile.transitions().items() %}
+{% for transition, (_, _, _, _, label) in profile.transitions(current_user).items() %}
<a href="{{ url_for("profile.start_transition", profile_uuid=profile.uuid, transition=transition) }}" class="btn btn-info">{{ label | capitalize }}</a>
{% endfor %}
{% endblock %}
diff --git a/hiboo/profile/views.py b/hiboo/profile/views.py
index d3c2e63..2814a97 100644
--- a/hiboo/profile/views.py
+++ b/hiboo/profile/views.py
@@ -181,7 +181,7 @@ def action(profile_uuid, action):
@security.confirmation_required("change the profile status")
def start_transition(profile_uuid, transition):
profile = models.Profile.query.get(profile_uuid) or flask.abort(404)
- profile.transitions(flask_login.current_user.is_admin).get(transition) or flask.abort(403)
+ profile.transitions(flask_login.current_user).get(transition) or flask.abort(403)
profile.set_transition(transition, flask_login.current_user)
models.db.session.commit()
flask.flash(_("Profile status change was requested"), "success")
--
GitLab