From 5ff33b1b4ac2a31907974115ad1c86e363736785 Mon Sep 17 00:00:00 2001
From: Les Orchard <l.m.orchard@pobox.com>
Date: Sat, 30 Jul 2011 00:48:50 -0400
Subject: [PATCH] Enforcing edit permission in badge editing pages

---
 badger/models.py                          | 7 +++++++
 badger/templates/badger/badge_detail.html | 5 +++--
 badger/templates/badger/home.html         | 7 ++++++-
 badger/views.py                           | 3 +++
 4 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/badger/models.py b/badger/models.py
index 9e03f28..23337a3 100644
--- a/badger/models.py
+++ b/badger/models.py
@@ -115,6 +115,13 @@ class Badge(models.Model):
             self.slug = slugify(self.title)
         super(Badge, self).save(**kwargs)
 
+    def allows_edit_by(self, user):
+        if user.is_staff or user.is_superuser:
+            return True
+        if user == self.creator:
+            return True
+        return False
+
     def allows_award_to(self, user):
         """Is award_to() allowed for this user?"""
         if None == user:
diff --git a/badger/templates/badger/badge_detail.html b/badger/templates/badger/badge_detail.html
index 0e443f8..af19d0a 100644
--- a/badger/templates/badger/badge_detail.html
+++ b/badger/templates/badger/badge_detail.html
@@ -11,7 +11,8 @@
     <dt>Description:<dt><dd class="description">{{ badge.description }}</dd>
 </dl>
 
-<a class="edit_badge" href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
-
+{% if badge.allows_edit_by(request.user) %}
+    <a class="edit_badge" href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
+{% endif %}
 
 {% endblock %}
diff --git a/badger/templates/badger/home.html b/badger/templates/badger/home.html
index 8b46469..61d6a79 100644
--- a/badger/templates/badger/home.html
+++ b/badger/templates/badger/home.html
@@ -4,13 +4,18 @@
 
 <h1>Badger</h1>
 <p>Welcome to the Badger home page</p>
+<nav><ul>
+    <li><a href="{{ url('badger.views.create') }}">Create a badge</a></li>
+</ul></nav>
 
 <h2>Badges:</h2>
 <ul class="badges">
     {% for badge in badge_list %}
         <li class="badge">
             <a href="{{ badge.get_absolute_url() }}"><span class="title">{{ badge.title }}</span></a>
-            - <a href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
+            {% if badge.allows_edit_by(request.user) %}
+                - <a href="{{ url('badger.views.edit', badge.slug) }}">edit</a>
+            {% endif %}
         </li>
     {% endfor %}
 </ul>
diff --git a/badger/views.py b/badger/views.py
index 14d3407..aff1b84 100644
--- a/badger/views.py
+++ b/badger/views.py
@@ -83,6 +83,9 @@ def create(request):
 def edit(request, slug):
     """Edit an existing badge"""
     badge = get_object_or_404(Badge, slug=slug)
+    if not badge.allows_edit_by(request.user):
+        return HttpResponseForbidden()
+    
     if request.method != "POST":
         form = BadgeEditForm(instance=badge)
     else: