From 794db714deb19600d43ec6c10c2b429514def646 Mon Sep 17 00:00:00 2001
From: Alek Ratzloff <alekratz@gmail.com>
Date: Sun, 17 Jul 2022 15:32:10 -0700
Subject: [PATCH] Remove can_modify context variable, use is_staff instead

For both ban and modify actions, we trust staff users to not abuse
otherwise-secret scripts and links. We don't supply "can_modify" context
variable anymore and just use user.is_staff instead. The same goes for
ban links and scripts.

Signed-off-by: Alek Ratzloff <alekratz@gmail.com>
---
 board/templates/board/base.html               |  4 +--
 .../templates/board/post_modify_success.html  | 33 -------------------
 board/templates/board/post_snippet.html       |  4 +--
 board/views.py                                |  9 -----
 4 files changed, 2 insertions(+), 48 deletions(-)
 delete mode 100644 board/templates/board/post_modify_success.html

diff --git a/board/templates/board/base.html b/board/templates/board/base.html
index 0160acd..6df7da1 100644
--- a/board/templates/board/base.html
+++ b/board/templates/board/base.html
@@ -12,10 +12,8 @@
         <script src="{% static 'board/jquery.js' %}"></script>
         <script src="{% static 'board/jsframe.min.js' %}"></script>
         <script src="{% static 'board/post.js' %}"></script>
-        {% if perms.board.add_ban %}
+        {% if user.is_staff %}
             <script src="{% static 'board/ban.js' %}"></script>
-        {% endif %}
-        {% if can_modify %}
             <script src="{% static 'board/modify.js' %}"></script>
         {% endif %}
         {% block extrajs %}{% endblock %}
diff --git a/board/templates/board/post_modify_success.html b/board/templates/board/post_modify_success.html
deleted file mode 100644
index d79b679..0000000
--- a/board/templates/board/post_modify_success.html
+++ /dev/null
@@ -1,33 +0,0 @@
-{% extends "board/base.html" %}
-{% load i18n static %}
-{# Title #}
-{% block title %}{% translate "Post modify success" %}{% endblock %}
-{# Body #}
-{% block content %}
-<div class="row" id="message">
-    {# We do not use pluralize filter for "seconds" because it's a pain to get it to translate. #}
-    {% blocktranslate %}Post has been modified. This window will close in {{window_timeout}} second(s).{% endblocktranslate %}
-</div>
-
-<script>
-function isIframe() {
-    try {
-        return window.self !== window.top;
-    } catch (_) {
-        return true;
-    }
-}
-
-setTimeout(function() {
-    if(isIframe()) {
-        let modifyWindow = getModifyWindow();
-        if(modifyWindow) {
-            modifyWindow.closeFrame();
-        }
-    } else {
-        window.close();
-    }
-}, 1000 * {{window_timeout}});
-
-</script>
-{% endblock %}
\ No newline at end of file
diff --git a/board/templates/board/post_snippet.html b/board/templates/board/post_snippet.html
index 25dfe68..a9ea41e 100644
--- a/board/templates/board/post_snippet.html
+++ b/board/templates/board/post_snippet.html
@@ -5,10 +5,8 @@
     class="post"
     data-report-url="{% url 'board:report_form' board.url post.id %}"
     data-delete-url="{% url 'board:post_delete' post.id %}"
-    {% if perms.board.add_ban %}
+    {% if user.is_staff %}
     data-ban-url="{% url 'board:ban_create' board.url post.id %}"
-    {% endif %}
-    {% if can_modify %}
     data-modify-url="{% url 'board:post_modify' post.id %}"
     {% endif %}
     >
diff --git a/board/views.py b/board/views.py
index 802764a..6c3f21c 100644
--- a/board/views.py
+++ b/board/views.py
@@ -137,8 +137,6 @@ class BoardView(BoardMixin, TemplateView):
         kwargs["pages"] = range(1, last_page + 1)
         kwargs["last_page"] = last_page
         kwargs["max_upload_size"] = settings.MAX_UPLOAD_SIZE
-        kwargs["can_modify"] = can_modify(self.request.user)
-
         return super(BoardView, self).get_context_data(**kwargs)
 
 
@@ -199,11 +197,6 @@ class PostModifySuccessView(PermissionRequiredMixin, ActionSuccessView):
     def has_permission(self) -> bool:
         return can_modify(self.request.user)
 
-    def get_context_data(self, **kwargs):
-        context = super().get_context_data(**kwargs)
-        context["can_modify"] = self.has_permission()
-        return context
-
 
 class ReplyCreateView(CreateView):
     model = Post
@@ -248,8 +241,6 @@ class PostView(TemplateView):
         post_id = self.kwargs["id"]
         kwargs["post"] = get_object_or_404(Post, id=post_id)
         kwargs["max_upload_size"] = settings.MAX_UPLOAD_SIZE
-        kwargs["can_modify"] = can_modify(self.request.user)
-
         return super(PostView, self).get_context_data(**kwargs)
 
     def dispatch(self, request, *args, **kwargs):