From ed195af6a2b778ea58673e8876b1b38ccf147c10 Mon Sep 17 00:00:00 2001
From: Inga Kirschnick <inga.kirschnick@uni-bielefeld.de>
Date: Wed, 1 Mar 2023 15:14:51 +0100
Subject: [PATCH] corpus follower permission decorator update

---
 app/corpora/routes.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/corpora/routes.py b/app/corpora/routes.py
index c2af713a..5446f144 100644
--- a/app/corpora/routes.py
+++ b/app/corpora/routes.py
@@ -219,12 +219,9 @@ def delete_corpus(corpus_id):
 
 @bp.route('/<hashid:corpus_id>/analyse')
 @login_required
+@corpus_follower_permission_required('VIEW')
 def analyse_corpus(corpus_id):
     corpus = Corpus.query.get_or_404(corpus_id)
-    if not (corpus.user == current_user
-            or current_user.is_administrator()
-            or current_user.is_following_corpus(corpus)):
-        abort(403)
     return render_template(
         'corpora/analyse_corpus.html.j2',
         corpus=corpus,
@@ -234,6 +231,7 @@ def analyse_corpus(corpus_id):
 
 @bp.route('/<hashid:corpus_id>/build', methods=['POST'])
 @login_required
+@corpus_owner_or_admin_required()
 def build_corpus(corpus_id):
     def _build_corpus(app, corpus_id):
         with app.app_context():
@@ -258,6 +256,7 @@ def build_corpus(corpus_id):
 
 @bp.route('/<hashid:corpus_id>/files/create', methods=['GET', 'POST'])
 @login_required
+@corpus_follower_permission_required('ADD_CORPUS_FILE')
 def create_corpus_file(corpus_id):
     corpus = Corpus.query.get_or_404(corpus_id)
     if not (corpus.user == current_user or current_user.is_administrator()):
@@ -305,10 +304,9 @@ def create_corpus_file(corpus_id):
 
 @bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['GET', 'POST'])
 @login_required
+@corpus_follower_permission_required('ADD_CORPUS_FILE', 'UPDATE_CORPUS_FILE', 'REMOVE_CORPUS_FILE')
 def corpus_file(corpus_id, corpus_file_id):
     corpus_file = CorpusFile.query.filter_by(corpus_id = corpus_id, id=corpus_file_id).first_or_404()
-    if not (corpus_file.corpus.user == current_user or current_user.is_administrator()):
-        abort(403)
     form = UpdateCorpusFileForm(data=corpus_file.to_json_serializeable())
     if form.validate_on_submit():
         form.populate_obj(corpus_file)
@@ -329,6 +327,7 @@ def corpus_file(corpus_id, corpus_file_id):
 
 @bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['DELETE'])
 @login_required
+@corpus_follower_permission_required('REMOVE_CORPUS_FILE')
 def delete_corpus_file(corpus_id, corpus_file_id):
     def _delete_corpus_file(app, corpus_file_id):
         with app.app_context():
@@ -349,6 +348,7 @@ def delete_corpus_file(corpus_id, corpus_file_id):
 
 @bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>/download')
 @login_required
+@corpus_follower_permission_required('VIEW')
 def download_corpus_file(corpus_id, corpus_file_id):
     corpus_file = CorpusFile.query.filter_by(corpus_id = corpus_id, id=corpus_file_id).first_or_404()
     if not (corpus_file.corpus.user == current_user or current_user.is_administrator()):
-- 
GitLab