From 401a971c6a91f780fd3461c22c4e6b6e586387cf Mon Sep 17 00:00:00 2001
From: nathanhilbert <nathanhilbert@gmail.com>
Date: Sun, 9 Aug 2015 10:28:05 -0500
Subject: [PATCH] fix permissions for a regular user relates to #236

---
 openspending/auth/forum.py                    | 43 ++++++++++++++-----
 .../forum/forum/category_layout.html          |  8 ----
 openspending/templates/forum/forum/forum.html |  6 ---
 .../templates/forum/forum/report_post.html    |  6 +--
 4 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/openspending/auth/forum.py b/openspending/auth/forum.py
index 0cd8a227..b2d9866e 100644
--- a/openspending/auth/forum.py
+++ b/openspending/auth/forum.py
@@ -31,6 +31,14 @@ def decorated(*args, **kwargs):
             return f(*args, **kwargs)
     return decorated
 
+def authenticated_required(f):
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        if not is_authenticated(current_user):
+            abort(403)
+        else:
+            return f(*args, **kwargs)
+    return decorated
 
 def check_perm(user, perm, forum, post_user_id=None):
     """Checks if the `user` has a specified `perm` in the `forum`
@@ -105,36 +113,49 @@ def can_edit_post(user, post):
     if topic.locked or topic.forum.locked:
         return False
 
-    return check_perm(user=user, perm='editpost', forum=post.topic.forum,
-                      post_user_id=post.user_id)
+    return is_authenticated(user) and post.user_id==user.id
+
+    # return check_perm(user=user, perm='editpost', forum=post.topic.forum,
+    #                   post_user_id=post.user_id)
 
 
 def can_delete_post(user, post):
-    """Check if the post can be deleted by the user."""
-    return check_perm(user=user, perm='deletepost', forum=post.topic.forum,
-                      post_user_id=post.user_id)
+    """Moderators and owners of the post can delete them"""
+    if can_moderate(user, topic.forum):
+        return True
+    if topic.locked or topic.forum.locked:
+        return False
+    return is_authenticated(user) and post.user_id==user.id
+    # return check_perm(user=user, perm='deletepost', forum=post.topic.forum,
+    #                   post_user_id=post.user_id)
 
 
 def can_delete_topic(user, topic):
-    """Check if the topic can be deleted by the user."""
-    return check_perm(user=user, perm='deletetopic', forum=topic.forum,
-                      post_user_id=topic.user_id)
+    """Only moderators can delete topics"""
+    if can_moderate(user, topic.forum):
+        return True
+
+    # return check_perm(user=user, perm='deletetopic', forum=topic.forum,
+    #                   post_user_id=topic.user_id)
 
 
 def can_post_reply(user, topic):
-    """Check if the user is allowed to post in the forum."""
+    """If user is authenticated and topic is not locked"""
     if can_moderate(user, topic.forum):
         return True
 
     if topic.locked or topic.forum.locked:
         return False
 
-    return check_perm(user=user, perm='postreply', forum=topic.forum)
+    return is_authenticated(user) and not topic.locked
+
+    #return check_perm(user=user, perm='postreply', forum=topic.forum)
 
 
 def can_post_topic(user, forum):
     """Checks if the user is allowed to create a new topic in the forum."""
-    return check_perm(user=user, perm='posttopic', forum=forum)
+    return is_authenticated(user) and not forum.locked
+    # return check_perm(user=user, perm='posttopic', forum=forum)
 
 
 # Moderator permission checks
diff --git a/openspending/templates/forum/forum/category_layout.html b/openspending/templates/forum/forum/category_layout.html
index 54cb6f7d..2d151617 100644
--- a/openspending/templates/forum/forum/category_layout.html
+++ b/openspending/templates/forum/forum/category_layout.html
@@ -55,14 +55,6 @@
                     {% autoescape false %}
                     {{ forum.description|markup }}
                     {% endautoescape %}
-                    {% if forum.show_moderators %}
-                    <div class="forum-moderators">
-                        Moderators:
-                        {% for moderator in forum.moderators %}
-                        {% if not loop.last %}, {% endif %}
-                        {% endfor %}
-                    </div>
-                    {% endif %}
                 </div>
             </td>
 
diff --git a/openspending/templates/forum/forum/forum.html b/openspending/templates/forum/forum/forum.html
index 3c3d7439..b252c2f6 100644
--- a/openspending/templates/forum/forum/forum.html
+++ b/openspending/templates/forum/forum/forum.html
@@ -17,12 +17,6 @@
 
 {% if current_user|post_topic(forum) %}
 <div class="pull-right">
-    <form class="inline-form" method="post" action="{{ url_for('forum.markread', forum_id=forum.id, slug=forum.slug) }}">
-        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
-        <button class="btn btn-default">
-            <span class="fa fa-check"></span> Mark as Read
-        </button>
-    </form>
 
     {% if forum.locked %}
     <span class="btn btn-primary">
diff --git a/openspending/templates/forum/forum/report_post.html b/openspending/templates/forum/forum/report_post.html
index 3ae9b560..3dd79eab 100644
--- a/openspending/templates/forum/forum/report_post.html
+++ b/openspending/templates/forum/forum/report_post.html
@@ -11,11 +11,11 @@
 <form class="form" role="form" method="post">
 	<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
     {{ form.hidden_tag() }}
-    <h3>{% trans %}Report Post{% endtrans %}</h3>
+    <h3>Report Post</h3>
 
     {{ render_field(form.reason) }}
 
-    <button type="submit" class="btn btn-success">{% trans %}Report{% endtrans %}</button>
-    <a class="btn btn-info" href="#" onclick="window.close();return false;">{% trans %}Close{% endtrans %}</a>
+    <button type="submit" class="btn btn-success">Report</button>
+    <a class="btn btn-info" href="#" onclick="window.close();return false;">Close</a>
 </form>
 {% endblock %}