add a @redirect_to_own decorator in users app

2025-12-03 08:08:05 +03:00
parent a7876ca410
commit 9951ed3fae
1 changed files with 27 additions and 22 deletions
--- a/app/routes/users.py
+++ b/app/routes/users.py
@@ -68,6 +68,7 @@ def create_session(user_id):
        "expires_at": int(time.time()) + 31 * 24 * 60 * 60,
    })

+
 def extend_session(user_id):
    session_obj = Sessions.find({'key': session['pyrom_session_key']})
    if not session_obj:
@@ -121,6 +122,19 @@ def redirect_if_logged_in(*args, **kwargs):
    return decorator


+def redirect_to_own(view_func):
+    @wraps(view_func)
+    def wrapper(username, *args, **kwargs):
+        user = get_active_user()
+        if username.lower() != user.username:
+            view_args = dict(request.view_args)
+            view_args.pop('username', None)
+            new_args = {**view_args, 'username': user.username}
+            return redirect(url_for(request.endpoint, **new_args))
+        return view_func(username, *args, **kwargs)
+    return wrapper
+
+
 def login_required(view_func):
    @wraps(view_func)
    def wrapper(*args, **kwargs):
@@ -302,16 +316,14 @@ def page(username):

@bp.get("/<username>/settings")
@login_required
+@redirect_to_own
 def settings(username):
-    target_user = Users.find({'username': username.lower()})
-    if target_user.id != get_active_user().id:
-        return redirect('.settings', username = get_active_user().username)
-
    return render_template('users/settings.html')


@bp.post('/<username>/settings')
@login_required
+@redirect_to_own
 def settings_form(username):
    # we silently ignore the passed username
    # and grab the correct user from the session
@@ -367,6 +379,7 @@ def settings_form(username):

@bp.post('/<username>/set_avatar')
@login_required
+@redirect_to_own
 def set_avatar(username):
    user = get_active_user()
    if user.is_guest():
@@ -410,6 +423,7 @@ def set_avatar(username):

@bp.post('/<username>/change_password')
@login_required
+@redirect_to_own
 def change_password(username):
    user = get_active_user()
    password = request.form.get('new_password')
@@ -432,6 +446,7 @@ def change_password(username):

@bp.post('/<username>/clear_avatar')
@login_required
+@redirect_to_own
 def clear_avatar(username):
    user = get_active_user()
    if user.is_default_avatar():
@@ -524,11 +539,9 @@ def guest_user(user_id):

@bp.get("/<username>/inbox")
@login_required
+@redirect_to_own
 def inbox(username):
    user = get_active_user()
-    if username.lower() != user.username:
-        return redirect(url_for(".inbox", username = user.username))
-
    new_posts = []
    subscription = Subscriptions.find({"user_id": user.id})
    all_subscriptions = None
@@ -666,6 +679,7 @@ def reset_link_login_form(key):

@bp.get('/<username>/invite-links/')
@login_required
+@redirect_to_own
 def invite_links(username):
    target_user = Users.find({
        'username': username.lower()
@@ -673,9 +687,6 @@ def invite_links(username):
    if not target_user or not target_user.can_invite():
        return redirect(url_for('.page', username=username))

-    if target_user.username != get_active_user().username:
-        return redirect(url_for('.invite_links', username=target_user.username))
-
    invites = InviteKeys.findall({
        'created_by': target_user.id
    })
@@ -685,6 +696,7 @@ def invite_links(username):

@bp.post('/<username>/invite-links/create')
@login_required
+@redirect_to_own
 def create_invite_link(username):
    target_user = Users.find({
        'username': username.lower()
@@ -692,9 +704,6 @@ def create_invite_link(username):
    if not target_user or not target_user.can_invite():
        return redirect(url_for('.page', username=username.lower()))

-    if target_user.username != get_active_user().username:
-        return redirect(url_for('.invite_links', username=target_user.username))
-
    invite = InviteKeys.create({
        'created_by': target_user.id,
        'key': secrets.token_urlsafe(20),
@@ -705,6 +714,7 @@ def create_invite_link(username):

@bp.post('/<username>/invite-links/revoke')
@login_required
+@redirect_to_own
 def revoke_invite_link(username):
    target_user = Users.find({
        'username': username.lower()
@@ -712,9 +722,6 @@ def revoke_invite_link(username):
    if not target_user or not target_user.can_invite():
        return redirect(url_for('.page', username=username.lower()))

-    if target_user.username != get_active_user().username:
-        return redirect(url_for('.invite_links', username=target_user.username))
-
    invite = InviteKeys.find({
        'key': request.form.get('key'),
    })
@@ -732,10 +739,9 @@ def revoke_invite_link(username):

@bp.get('/<username>/bookmarks')
@login_required
+@redirect_to_own
 def bookmarks(username):
-    target_user = Users.find({'username': username.lower()})
-    if not target_user or target_user.username != get_active_user().username:
-        return redirect(url_for('.bookmarks', username=get_active_user().username))
+    target_user = get_active_user()

    collections = target_user.get_bookmark_collections()

@@ -744,10 +750,9 @@ def bookmarks(username):

@bp.get('/<username>/bookmarks/collections')
@login_required
+@redirect_to_own
 def bookmark_collections(username):
-    target_user = Users.find({'username': username.lower()})
-    if not target_user or target_user.username != get_active_user().username:
-        return redirect(url_for('.bookmark_collections', username=get_active_user().username))
+    target_user = get_active_user()

    collections = target_user.get_bookmark_collections()
    return render_template('users/bookmark_collections.html', collections=collections)