Enforcing edit permission in badge editing pages

badger/models.py

@@ -115,6 +115,13 @@ class Badge(models.Model):
             self.slug = slugify(self.title)
         super(Badge, self).save(**kwargs)
 
+    def allows_edit_by(self, user):
+        if user.is_staff or user.is_superuser:
+            return True
+        if user == self.creator:
+            return True
+        return False
+
     def allows_award_to(self, user):
         """Is award_to() allowed for this user?"""
         if None == user:

badger/templates/badger/badge_detail.html

@@ -11,7 +11,8 @@
     <dt>Description:<dt><dd class="description">{{ badge.description }}</dd>
 </dl>
 
-<a class="edit_badge" href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
-
+{% if badge.allows_edit_by(request.user) %}
+    <a class="edit_badge" href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
+{% endif %}
 
 {% endblock %}

badger/templates/badger/home.html

@@ -4,13 +4,18 @@
 
 <h1>Badger</h1>
 <p>Welcome to the Badger home page</p>
+<nav><ul>
+    <li><a href="{{ url('badger.views.create') }}">Create a badge</a></li>
+</ul></nav>
 
 <h2>Badges:</h2>
 <ul class="badges">
     {% for badge in badge_list %}
         <li class="badge">
             <a href="{{ badge.get_absolute_url() }}"><span class="title">{{ badge.title }}</span></a>
-            - <a href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
+            {% if badge.allows_edit_by(request.user) %}
+                - <a href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
+            {% endif %}
         </li>
     {% endfor %}
 </ul>

badger/views.py

@@ -83,6 +83,9 @@ def create(request):
 def edit(request, slug):
     """Edit an existing badge"""
     badge = get_object_or_404(Badge, slug=slug)
+    if not badge.allows_edit_by(request.user):
+        return HttpResponseForbidden()
+    
     if request.method != "POST":
         form = BadgeEditForm(instance=badge)
     else: