From 4bcea261b139b20988a3aab4080d4f57046a30f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lera=20Elvo=C3=A9?= Date: Wed, 29 Apr 2026 21:20:07 +0300 Subject: [PATCH] finish mod routes --- app/routes/mod.py | 68 +++++++++++++++++++++++++++--- app/templates/users/user_page.html | 4 +- 2 files changed, 65 insertions(+), 7 deletions(-) diff --git a/app/routes/mod.py b/app/routes/mod.py index ee514c2..3c6609a 100644 --- a/app/routes/mod.py +++ b/app/routes/mod.py @@ -1,8 +1,10 @@ from flask import Blueprint, abort, redirect, url_for, request, render_template, flash -from ..constants import InfoboxKind +from ..constants import InfoboxKind, PermissionLevel from ..auth import is_logged_in, get_active_user, csrf_verified -from ..models import Topics, Threads +from ..models import Topics, Threads, Users from slugify import slugify +from functools import wraps +import time bp = Blueprint('mod', __name__, url_prefix='/mod/') @bp.before_request @@ -12,6 +14,14 @@ def mod_only(): if not get_active_user().is_mod(): abort(403) +def admin_only(view_func): + @wraps(view_func) + def wrapper(*args, **kwargs): + if not get_active_user().is_admin(): + abort(403) + return view_func(*args, **kwargs) + return wrapper + @bp.get('/') def index(): return 'stub' @@ -97,14 +107,62 @@ def sticky_thread(thread_id): @bp.post('/users//make-guest/') @csrf_verified def make_user_guest(user_id): - return 'stub' + mod = get_active_user() + target_user = Users.find({'id': user_id}) + if not target_user: + abort(404) + + if target_user.is_admin() or target_user.is_system(): + abort(403) + + if int(target_user.permission) >= int(mod.permission): + abort(403) + + target_user.update({ + 'permission': PermissionLevel.GUEST.value, + 'confirmed_on': None, + }) + + return redirect(url_for('users.user_page', username=target_user.username)) @bp.post('/users//make-user/') @csrf_verified def make_user_regular(user_id): - return 'stub' + mod = get_active_user() + target_user = Users.find({'id': user_id}) + if not target_user: + abort(404) + + if target_user.is_admin() or target_user.is_system(): + abort(403) + + # mod -> regular user, abort if not admin + if int(target_user.permission) >= int(mod.permission): + abort(403) + + update_dict = {'permission': PermissionLevel.USER.value} + # set approved date if the user was guest + if target_user.is_guest(): + update_dict['confirmed_on'] = int(time.time()) + + target_user.update(update_dict) + + return redirect(url_for('users.user_page', username=target_user.username)) @bp.post('/users//make-mod/') +@admin_only @csrf_verified def make_user_mod(user_id): - return 'stub' + mod = get_active_user() + target_user = Users.find({'id': user_id}) + if not target_user: + abort(404) + + if target_user.is_admin() or target_user.is_system(): + abort(403) + + if int(target_user.permission) >= int(mod.permission): + abort(403) + + target_user.update({'permission': PermissionLevel.MODERATOR.value}) + return redirect(url_for('users.user_page', username=target_user.username)) diff --git a/app/templates/users/user_page.html b/app/templates/users/user_page.html index 1ebe825..5e0a113 100644 --- a/app/templates/users/user_page.html +++ b/app/templates/users/user_page.html @@ -15,10 +15,10 @@ {%- endif -%} -{%- if get_active_user().is_mod() and target_user.id != get_active_user().id -%} +{%- if get_active_user().is_mod() and target_user.id != get_active_user().id and target_user.permission < get_active_user().permission -%}
Moderation actions -
+ {{csrf_input() | safe}} {%- if target_user.is_guest() -%}