Fix permissions

2020-06-08 23:41:11 +02:00 · 2020-06-08 23:41:11 +02:00 · d1de7715d7
commit d1de7715d7
parent e3498de8b9
2 changed files with 10 additions and 3 deletions
--- a/app/templates/album/index.html
+++ b/app/templates/album/index.html
@ -14,8 +14,10 @@
                </div>
            </li>
        {% endfor %}
-        <li class="gallery__entry gallery__entry--action">
-            <a href="{% url 'add_album' %}" class="stretched-link">dodaj +</a>
-        </li>
+        {% if user.is_authenticated %}
+            <li class="gallery__entry gallery__entry--action">
+                <a href="{% url 'add_album' %}" class="stretched-link">dodaj +</a>
+            </li>
+        {% endif %}
    </ul>
 {% endblock content %}
--- a/app/views.py
+++ b/app/views.py
@ -5,6 +5,7 @@ from django.contrib.auth.forms import UserCreationForm as RegisterForm
 from django.core.exceptions import PermissionDenied
 from django.views.decorators.http import require_http_methods
 from django.views.decorators.csrf import csrf_exempt
+from django.contrib.auth.decorators import login_required
 from app.forms import PhotoEditForm

 def register(request):
@ -38,6 +39,7 @@ def photo(request, photo_id, album_id):

    return render(request, "album/photo.html", locals())

+@login_required
 def add_album(request):
    if request.method == 'POST':
        form = AlbumForm(request.POST, request.FILES)
@ -55,6 +57,9 @@ def add_album(request):
 def add_photo(request, album_id):
    album = get_object_or_404(Album, pk=album_id)

+    if not album.is_owned_by(request.user):
+        raise PermissionDenied()
+
    if request.method == 'POST':
        form = PhotoForm(request.POST, request.FILES)