Add permission to view/delete all comments by a user

VNOI-Admin · Sep 20, 2023 · 82ec68d · 82ec68d
1 parent 9ff5b5b
commit 82ec68d
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 3 deletions.
diff --git a/judge/migrations/0196_view_all_user_comment_permission.py b/judge/migrations/0196_view_all_user_comment_permission.py
@@ -0,0 +1,17 @@
+# Generated by Django 3.2.21 on 2023-09-20 13:41
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('judge', '0195_post_pin_global_permissions'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='comment',
+            options={'permissions': (('view_all_user_comment', 'View all comments by a user'),), 'verbose_name': 'comment', 'verbose_name_plural': 'comments'},
+        ),
+    ]
diff --git a/judge/models/comment.py b/judge/models/comment.py
@@ -38,6 +38,9 @@ class Comment(MPTTModel):
     revisions = models.IntegerField(verbose_name=_('revisions'), default=0)
 
     class Meta:
+        permissions = (
+            ('view_all_user_comment', _('View all comments by a user')),
+        )
         verbose_name = _('comment')
         verbose_name_plural = _('comments')
 

diff --git a/judge/views/user.py b/judge/views/user.py
@@ -309,7 +309,7 @@ def get_context_data(self, **kwargs):
 
     @method_decorator(require_POST)
     def delete_comments(self, request, *args, **kwargs):
-        if not request.user.is_superuser:
+        if not request.user.has_perm('judge.change_comment'):
             raise PermissionDenied()
 
         user_id = User.objects.get(username=kwargs['user']).id
@@ -320,7 +320,7 @@ def delete_comments(self, request, *args, **kwargs):
         return HttpResponseRedirect(reverse('user_comment', args=(user.user.username,)))
 
     def dispatch(self, request, *args, **kwargs):
-        if not self.request.user.is_superuser:
+        if not request.user.has_perm('judge.view_all_user_comment'):
             raise PermissionDenied()
         if request.method == 'POST':
             return self.delete_comments(request, *args, **kwargs)

diff --git a/templates/user/comment.html b/templates/user/comment.html
@@ -13,10 +13,12 @@
 
 {% block body %}
     {% block before_comments %}{% endblock %}
+        {% if request.user.has_perm('judge.change_comment') %}
         <form action="{{url('user_comment', user.username)}}" method="post">
             {% csrf_token %}
             <button type="submit">Delete all comments</button>
         </form>
+        {% endif %}
         <ul class="comments top-level-comments new-comments">
             {% set logged_in = request.user.is_authenticated %}
             {% for comment in comments %}

diff --git a/templates/user/user-tabs.html b/templates/user/user-tabs.html
@@ -9,7 +9,7 @@
     {% if not request.official_contest_mode %}
         {{ make_tab('blogs', 'fa-rss', url('user_blog', user.user.username), _('Blogs')) }}
     {% endif %}
-    {% if request.user.is_superuser %}
+    {% if request.user.has_perm('judge.view_all_user_comment') %}
         {{ make_tab('comments', 'fa-comments', url('user_comment', user.user.username), _('Comments')) }}
     {% endif %}
     {% if request.user.is_superuser and user.user != request.user and not user.user.is_superuser %}