diff options
-rw-r--r-- | pyaggr3g470r/views.py | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/pyaggr3g470r/views.py b/pyaggr3g470r/views.py index 1bf08683..3a6f35d9 100644 --- a/pyaggr3g470r/views.py +++ b/pyaggr3g470r/views.py @@ -94,6 +94,25 @@ def redirect_url(default='index'): +from functools import wraps +def feed_access_required(func): + """ + This decorator enables to check if a user has access to a feed. + """ + #print("Now decorating %s" % func) + @wraps(func) + def decorated(*args, **kwargs): + #print("Now calling %s with %s,%s" % (func, args, kwargs)) + feed = Feed.query.filter(Feed.id == kwargs['feed_id']).first() + if feed == None or feed.subscriber.id != g.user.id: + flash("This feed do not exist.", "danger") + return redirect(url_for('home')) + return func(*args, **kwargs) + return decorated + + + + # # Views. @@ -466,15 +485,12 @@ def history(): @app.route('/create_feed/', methods=['GET', 'POST']) @app.route('/edit_feed/<int:feed_id>', methods=['GET', 'POST']) @login_required +@feed_access_required def edit_feed(feed_id=None): """ Add or edit a feed. """ feed = Feed.query.filter(Feed.id == feed_id).first() - if feed != None and feed.subscriber.id != g.user.id: - flash("Not authorized", "error") - return redirect(redirect_url()) - form = AddFeedForm() if request.method == 'POST': @@ -512,6 +528,7 @@ def edit_feed(feed_id=None): @app.route('/delete_feed/<feed_id>', methods=['GET']) @login_required +@feed_access_required def delete_feed(feed_id=None): """ Delete a feed with all associated articles. |