social-area page and profile page update

app/corpora/decorators.py

@@ -3,27 +3,24 @@ from flask_login import current_user
 from functools import wraps
 from app.models import Corpus, CorpusFollowerAssociation
 
-def corpus_follower_permission_required(permissions):
+def corpus_follower_permission_required(*permissions):
     def decorator(f):
         @wraps(f)
         def decorated_function(*args, **kwargs):
             corpus_id = kwargs.get('corpus_id')
             corpus = Corpus.query.get_or_404(corpus_id)
             if current_user == corpus.user or current_user.is_administrator():
-                print('user or admin')
                 return f(*args, **kwargs)
             if not current_user.is_following_corpus(corpus):
-                print('not following corpus')
                 abort(403)
             corpus_follower_association = CorpusFollowerAssociation.query.filter_by(corpus_id=corpus_id, follower_id=current_user.id).first_or_404()
-            for permission in permissions:
-                if not corpus_follower_association.role.has_permission(permission):
-                    abort(403)
+            if not all([corpus_follower_association.role.has_permission(p) for p in permissions]):
+                abort(403)
             return f(*args, **kwargs)
         return decorated_function
     return decorator
 
-def owner_or_admin_required():
+def corpus_owner_or_admin_required():
     def decorator(f):
         @wraps(f)
         def decorated_function(*args, **kwargs):

app/corpora/routes.py

@@ -15,7 +15,7 @@ from flask_login import current_user, login_required
 from threading import Thread
 import jwt
 import os
-from .decorators import corpus_follower_permission_required, owner_or_admin_required
+from .decorators import corpus_follower_permission_required, corpus_owner_or_admin_required
 from app import db, hashids
 from app.models import (
     Corpus,
@@ -33,12 +33,6 @@ from .forms import (
     UpdateCorpusFileForm
 )
 
-@bp.route('/<hashid:corpus_id>/test')
-@login_required
-@corpus_follower_permission_required(['VIEW', 'ADD_CORPUS_FILE'])
-def test(corpus_id):
-    return 'ok'
-
 @bp.route('/fake-add')
 @login_required
 def fake_add():
@@ -51,7 +45,7 @@ def fake_add():
 
 @bp.route('/<hashid:corpus_id>/is_public/enable', methods=['POST'])
 @login_required
-@owner_or_admin_required()
+@corpus_owner_or_admin_required()
 def enable_corpus_is_public(corpus_id):
     corpus = Corpus.query.get_or_404(corpus_id)
     corpus.is_public = True
@@ -61,7 +55,7 @@ def enable_corpus_is_public(corpus_id):
 
 @bp.route('/<hashid:corpus_id>/is_public/disable', methods=['POST'])
 @login_required
-@owner_or_admin_required()
+@corpus_owner_or_admin_required()
 def disable_corpus_is_public(corpus_id):
     corpus = Corpus.query.get_or_404(corpus_id)
     corpus.is_public = False
@@ -111,7 +105,7 @@ def current_user_unfollow_corpus(corpus_id):
 
 
 @bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>/role', methods=['POST'])
-@corpus_follower_permission_required(['REMOVE_FOLLOWER', 'UPDATE_FOLLOWER'])
+@corpus_follower_permission_required('REMOVE_FOLLOWER', 'UPDATE_FOLLOWER')
 def add_permission(corpus_id, follower_id):
     corpus_follower_association = CorpusFollowerAssociation.query.filter_by(corpus_id=corpus_id, follower_id=follower_id).first_or_404()
     if not (corpus_follower_association.corpus.user == current_user or current_user.is_administrator()):
@@ -206,6 +200,7 @@ def generate_corpus_share_link(corpus_id):
 
 @bp.route('/<hashid:corpus_id>', methods=['DELETE'])
 @login_required
+@corpus_owner_or_admin_required()
 def delete_corpus(corpus_id):
     def _delete_corpus(app, corpus_id):
         with app.app_context():
@@ -214,8 +209,6 @@ def delete_corpus(corpus_id):
             db.session.commit()
 
     corpus = Corpus.query.get_or_404(corpus_id)
-    if not (corpus.user == current_user or current_user.is_administrator()):
-        abort(403)
     thread = Thread(
         target=_delete_corpus,
         args=(current_app._get_current_object(), corpus_id)