Add user post deletion

Users can delete their posts as long as they don't clear their cookies, and as long as server-side user sessions are persistent. Signed-off-by: Alek Ratzloff <alekratz@gmail.com>
2022-07-13 21:28:07 -07:00
parent 96e8b7752f
commit a4f00e6242
5 changed files with 39 additions and 2 deletions
--- a/board/views.py
+++ b/board/views.py
@@ -8,7 +8,7 @@ from django.http import Http404, HttpResponseRedirect
 from django.http.request import QueryDict
 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
-from django.views.generic import detail, edit
+from django.views.generic import edit
 from django.urls import reverse, reverse_lazy
 from django.utils import timezone

@@ -147,6 +147,10 @@ class PostCreateView(CreateView):
    def get_form_kwargs(self):
        kwargs = super(PostCreateView, self).get_form_kwargs()
        kwargs["user"] = self.request.user
+        if "user_token" not in self.request.session:
+            # Generate a user token
+            self.request.session["user_token"] = generate_user_token()
+        kwargs["user_token"] = self.request.session["user_token"]
        return kwargs

    def get_success_url(self) -> str:
@@ -213,6 +217,10 @@ class ReplyCreateView(CreateView):
        post = get_object_or_404(Post, id=post_id)
        kwargs["op"] = post
        kwargs["user"] = self.request.user
+        if "user_token" not in self.request.session:
+            # Generate a user token
+            self.request.session["user_token"] = generate_user_token()
+        kwargs["user_token"] = self.request.session["user_token"]
        return kwargs

    def get_success_url(self) -> str:
@@ -256,6 +264,13 @@ class PostDeleteView(PermissionRequiredMixin, edit.DeleteView):
    success_url = reverse_lazy("board:post_delete_success")
    raise_exception = True

+    def has_permission(self) -> bool:
+        object = self.get_object()
+        user_token = self.request.session.get("user_token", None)
+        return self.request.user.has_perm("board.delete_post") or (
+            user_token and object.user_token == user_token
+        )
+
    def form_valid(self, form):
        success_url = self.get_success_url()
        if form["image_only"].value() != "0":