finish mod routes

app/routes/mod.py

@@ -1,8 +1,10 @@
 from flask import Blueprint, abort, redirect, url_for, request, render_template, flash
-from ..constants import InfoboxKind
+from ..constants import InfoboxKind, PermissionLevel
 from ..auth import is_logged_in, get_active_user, csrf_verified
-from ..models import Topics, Threads
+from ..models import Topics, Threads, Users
 from slugify import slugify
+from functools import wraps
+import time
 bp = Blueprint('mod', __name__, url_prefix='/mod/')
 
 @bp.before_request
@@ -12,6 +14,14 @@ def mod_only():
     if not get_active_user().is_mod():
         abort(403)
 
+def admin_only(view_func):
+    @wraps(view_func)
+    def wrapper(*args, **kwargs):
+        if not get_active_user().is_admin():
+            abort(403)
+        return view_func(*args, **kwargs)
+    return wrapper
+
 @bp.get('/')
 def index():
     return 'stub'
@@ -97,14 +107,62 @@ def sticky_thread(thread_id):
 @bp.post('/users/<int:user_id>/make-guest/')
 @csrf_verified
 def make_user_guest(user_id):
-    return 'stub'
+    mod = get_active_user()
+    target_user = Users.find({'id': user_id})
+    if not target_user:
+        abort(404)
+
+    if target_user.is_admin() or target_user.is_system():
+        abort(403)
+
+    if int(target_user.permission) >= int(mod.permission):
+        abort(403)
+
+    target_user.update({
+        'permission': PermissionLevel.GUEST.value,
+        'confirmed_on': None,
+        })
+
+    return redirect(url_for('users.user_page', username=target_user.username))
 
 @bp.post('/users/<int:user_id>/make-user/')
 @csrf_verified
 def make_user_regular(user_id):
-    return 'stub'
+    mod = get_active_user()
+    target_user = Users.find({'id': user_id})
+    if not target_user:
+        abort(404)
+
+    if target_user.is_admin() or target_user.is_system():
+        abort(403)
+
+    # mod -> regular user, abort if not admin
+    if int(target_user.permission) >= int(mod.permission):
+        abort(403)
+
+    update_dict = {'permission': PermissionLevel.USER.value}
+    # set approved date if the user was guest
+    if target_user.is_guest():
+        update_dict['confirmed_on'] = int(time.time())
+
+    target_user.update(update_dict)
+
+    return redirect(url_for('users.user_page', username=target_user.username))
 
 @bp.post('/users/<int:user_id>/make-mod/')
+@admin_only
 @csrf_verified
 def make_user_mod(user_id):
-    return 'stub'
+    mod = get_active_user()
+    target_user = Users.find({'id': user_id})
+    if not target_user:
+        abort(404)
+
+    if target_user.is_admin() or target_user.is_system():
+        abort(403)
+
+    if int(target_user.permission) >= int(mod.permission):
+        abort(403)
+
+    target_user.update({'permission': PermissionLevel.MODERATOR.value})
+    return redirect(url_for('users.user_page', username=target_user.username))

app/templates/users/user_page.html

@@ -15,10 +15,10 @@
 </fieldset>
 {%- endif -%}
 
-{%- if get_active_user().is_mod() and target_user.id != get_active_user().id -%}
+{%- if get_active_user().is_mod() and target_user.id != get_active_user().id and target_user.permission < get_active_user().permission -%}
 <fieldset class="plank even no-shadow minimal thread-actions">
   <legend>Moderation actions</legend>
-  <form method="POST">
+  <form class="thread-actions" method="POST">
     {{csrf_input() | safe}}
     {%- if target_user.is_guest() -%}
     <input class="warn" type="submit" value="Approve user" formaction="{{url_for('mod.make_user_regular', user_id=target_user.id)}}">