Remove can_modify context variable, use is_staff instead

For both ban and modify actions, we trust staff users to not abuse
otherwise-secret scripts and links. We don't supply "can_modify" context
variable anymore and just use user.is_staff instead. The same goes for
ban links and scripts.

Signed-off-by: Alek Ratzloff <alekratz@gmail.com>

board/templates/board/base.html

@@ -12,10 +12,8 @@
         <script src="{% static 'board/jquery.js' %}"></script>
         <script src="{% static 'board/jsframe.min.js' %}"></script>
         <script src="{% static 'board/post.js' %}"></script>
-        {% if perms.board.add_ban %}
+        {% if user.is_staff %}
             <script src="{% static 'board/ban.js' %}"></script>
-        {% endif %}
-        {% if can_modify %}
             <script src="{% static 'board/modify.js' %}"></script>
         {% endif %}
         {% block extrajs %}{% endblock %}

board/templates/board/post_modify_success.html

@@ -1,33 +0,0 @@
-{% extends "board/base.html" %}
-{% load i18n static %}
-{# Title #}
-{% block title %}{% translate "Post modify success" %}{% endblock %}
-{# Body #}
-{% block content %}
-<div class="row" id="message">
-    {# We do not use pluralize filter for "seconds" because it's a pain to get it to translate. #}
-    {% blocktranslate %}Post has been modified. This window will close in {{window_timeout}} second(s).{% endblocktranslate %}
-</div>
-
-<script>
-function isIframe() {
-    try {
-        return window.self !== window.top;
-    } catch (_) {
-        return true;
-    }
-}
-
-setTimeout(function() {
-    if(isIframe()) {
-        let modifyWindow = getModifyWindow();
-        if(modifyWindow) {
-            modifyWindow.closeFrame();
-        }
-    } else {
-        window.close();
-    }
-}, 1000 * {{window_timeout}});
-
-</script>
-{% endblock %}

board/templates/board/post_snippet.html

@@ -5,10 +5,8 @@
     class="post"
     data-report-url="{% url 'board:report_form' board.url post.id %}"
     data-delete-url="{% url 'board:post_delete' post.id %}"
-    {% if perms.board.add_ban %}
+    {% if user.is_staff %}
     data-ban-url="{% url 'board:ban_create' board.url post.id %}"
-    {% endif %}
-    {% if can_modify %}
     data-modify-url="{% url 'board:post_modify' post.id %}"
     {% endif %}
     >

board/views.py

@@ -137,8 +137,6 @@ class BoardView(BoardMixin, TemplateView):
         kwargs["pages"] = range(1, last_page + 1)
         kwargs["last_page"] = last_page
         kwargs["max_upload_size"] = settings.MAX_UPLOAD_SIZE
-        kwargs["can_modify"] = can_modify(self.request.user)
-
         return super(BoardView, self).get_context_data(**kwargs)
 
 
@@ -199,11 +197,6 @@ class PostModifySuccessView(PermissionRequiredMixin, ActionSuccessView):
     def has_permission(self) -> bool:
         return can_modify(self.request.user)
 
-    def get_context_data(self, **kwargs):
-        context = super().get_context_data(**kwargs)
-        context["can_modify"] = self.has_permission()
-        return context
-
 
 class ReplyCreateView(CreateView):
     model = Post
@@ -248,8 +241,6 @@ class PostView(TemplateView):
         post_id = self.kwargs["id"]
         kwargs["post"] = get_object_or_404(Post, id=post_id)
         kwargs["max_upload_size"] = settings.MAX_UPLOAD_SIZE
-        kwargs["can_modify"] = can_modify(self.request.user)
-
         return super(PostView, self).get_context_data(**kwargs)
 
     def dispatch(self, request, *args, **kwargs):