only allow interactive publish for the current user page. for #351

publish.py

@@ -76,6 +76,13 @@ class Handler(webmention.WebmentionHandler):
   """
   PREVIEW = None
 
+  def authorize(self):
+    """Returns True if the current user is authorized for this request.
+
+    Otherwise, should call self.error() to provide an appropriate error message.
+    """
+    return True
+
   def source_url(self):
     return util.get_required_param(self, 'source')
 
@@ -189,7 +196,9 @@ def _run(self):
         if self.entity.published:
           break
         if result.abort:
-          return self.error(result.error_plain, html=result.error_html, data=item)
+          if result.error_plain:
+            self.error(result.error_plain, html=result.error_html, data=item)
+          return
         # try the next item
         for embedded in ('rsvp', 'invitee', 'repost', 'repost-of', 'like',
                          'like-of', 'in-reply-to'):
@@ -265,6 +274,9 @@ def attempt_single_item(self, item):
     if omit_link is None:
       omit_link = 'bridgy-omit-link' in props
 
+    if not self.authorize():
+      return as_source.creation_result(abort=True)
+
     if self.PREVIEW:
       result = self.source.as_source.preview_create(
         obj, include_link=not omit_link)
@@ -425,9 +437,18 @@ class PreviewHandler(Handler):
 
   def post(self):
     result = self._run()
-    if result:
+    if result and result.content:
       self.response.write(result.content)
 
+  def authorize(self):
+    from_source = ndb.Key(urlsafe=util.get_required_param(self, 'source_key'))
+    if from_source != self.source.key:
+      self.error('Try publishing that page from <a href="%s">%s</a> instead.' %
+                 (self.source.bridgy_path(), self.source.label()))
+      return False
+
+    return True
+
   def omit_link(self):
     # always use query param because there's a checkbox in the UI
     return self.request.get('bridgy_omit_link') in ('', 'true')

publish_test.py

@@ -38,6 +38,7 @@ def get_response(self, source=None, target=None, preview=False, params=None):
     params.update({
       'source': source or 'http://foo.com/bar',
       'target': target or 'http://brid.gy/publish/fake',
+      'source_key': self.source.key.urlsafe(),
       })
 
     return publish.application.get_response(

static/bridgy.js

@@ -56,8 +56,9 @@ function do_preview(site) {
 
   preview.innerHTML = '<img src="/static/spinner.gif" width="30" />';
   req.open('post', '/publish/preview?source=' + encodeURIComponent(url) +
-    '&target=http://brid.gy/publish/' + site + '&bridgy_omit_link=' +
-    !document.getElementById('include-link-checked').checked);
+    '&target=http://brid.gy/publish/' + site +
+    '&bridgy_omit_link=' + !document.getElementById('include-link-checked').checked +
+    '&source_key=' + document.getElementById('source_key').value);
   req.send();
 }
 

templates/social_user.html

@@ -112,6 +112,7 @@
 <p id="preview-ui">
  <label id="source-label" for="source-url">Enter post URL:</label>
  <input id="source-url" name="source" type="url" required alt="Source URL"></input>
+ <input id="source_key" name="source_key" type="hidden" value="{{ source.key.urlsafe }}" />
  <input name="target" type="hidden"
         value="http://brid.gy/publish/{{ source.SHORT_NAME }}"></input>