PG/JS-P04
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix permissions

Browse Source
This commit is contained in:
Kacper Donat 2020-06-08 23:41:11 +02:00
parent e3498de8b9
commit d1de7715d7
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/templates/album/index.html
View File

@ -14,8 +14,10 @@
</div> </div>
</li> </li>
{% endfor %} {% endfor %}
{% if user.is_authenticated %}
<li class="gallery__entry gallery__entry--action"> <li class="gallery__entry gallery__entry--action">
<a href="{% url 'add_album' %}" class="stretched-link">dodaj +</a> <a href="{% url 'add_album' %}" class="stretched-link">dodaj +</a>
</li> </li>
{% endif %}
</ul> </ul>
{% endblock content %} {% endblock content %}

5
app/views.py
View File

@ -5,6 +5,7 @@ from django.contrib.auth.forms import UserCreationForm as RegisterForm
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.views.decorators.http import require_http_methods from django.views.decorators.http import require_http_methods
from django.views.decorators.csrf import csrf_exempt from django.views.decorators.csrf import csrf_exempt
from django.contrib.auth.decorators import login_required
from app.forms import PhotoEditForm from app.forms import PhotoEditForm
def register(request): def register(request):
@ -38,6 +39,7 @@ def photo(request, photo_id, album_id):
return render(request, "album/photo.html", locals()) return render(request, "album/photo.html", locals())
@login_required
def add_album(request): def add_album(request):
if request.method == 'POST': if request.method == 'POST':
form = AlbumForm(request.POST, request.FILES) form = AlbumForm(request.POST, request.FILES)
@ -55,6 +57,9 @@ def add_album(request):
def add_photo(request, album_id): def add_photo(request, album_id):
album = get_object_or_404(Album, pk=album_id) album = get_object_or_404(Album, pk=album_id)
if not album.is_owned_by(request.user):
raise PermissionDenied()
if request.method == 'POST': if request.method == 'POST':
form = PhotoForm(request.POST, request.FILES) form = PhotoForm(request.POST, request.FILES)