diff --git a/app/blueprints/report/__init__.py b/app/blueprints/report/__init__.py index b488e086..7d7961f9 100644 --- a/app/blueprints/report/__init__.py +++ b/app/blueprints/report/__init__.py @@ -22,7 +22,7 @@ from werkzeug.utils import redirect from wtforms import TextAreaField, SubmitField, URLField, StringField, SelectField from wtforms.validators import InputRequired, Length, Optional, DataRequired -from app.models import User, UserRank, Report, db, AuditSeverity, ReportCategory, Thread +from app.models import User, UserRank, Report, db, AuditSeverity, ReportCategory, Thread, Permission from app.tasks.webhooktasks import post_discord_webhook from app.utils import (is_no, abs_url_samesite, normalize_line_endings, rank_required, add_audit_log, abs_url_for, random_string, add_replies) @@ -120,9 +120,10 @@ class ResolveForm(FlaskForm): @bp.route("/admin/reports//", methods=["GET", "POST"]) -@rank_required(UserRank.MODERATOR) def view(rid: str): report = Report.query.get_or_404(rid) + if not report.check_perm(current_user, Permission.SEE_REPORT): + abort(404) resolve_form = ResolveForm(request.form) if resolve_form.validate_on_submit(): diff --git a/app/models/__init__.py b/app/models/__init__.py index cb4596e4..aefb5f24 100644 --- a/app/models/__init__.py +++ b/app/models/__init__.py @@ -200,6 +200,20 @@ class Report(db.Model): is_resolved = db.Column(db.Boolean, nullable=False, default=False) + def check_perm(self, user, perm): + if type(perm) == str: + perm = Permission[perm] + elif type(perm) != Permission: + raise Exception("Unknown permission given to Report.check_perm()") + if not user.is_authenticated: + return False + + if perm == Permission.SEE_REPORT: + return user.rank.at_least(UserRank.MODERATOR) + else: + raise Exception("Permission {} is not related to reports".format(perm.name)) + + REPO_BLACKLIST = [".zip", "mediafire.com", "dropbox.com", "weebly.com", "minetest.net", "luanti.org", "dropboxusercontent.com", "4shared.com", "digitalaudioconcepts.com", "hg.intevation.org", "www.wtfpl.net", diff --git a/app/models/threads.py b/app/models/threads.py index 2df33d2f..b819e2c5 100644 --- a/app/models/threads.py +++ b/app/models/threads.py @@ -57,6 +57,8 @@ class Thread(db.Model): watchers = db.relationship("User", secondary=watchers, backref="watching") + report = db.relationship("Report", foreign_keys="Report.thread_id", back_populates="thread", lazy="dynamic") + first_reply = db.relationship("ThreadReply", uselist=False, foreign_keys="ThreadReply.thread_id", lazy=True, order_by=db.asc("id"), viewonly=True, primaryjoin="Thread.id==ThreadReply.thread_id") diff --git a/app/models/users.py b/app/models/users.py index aaf42b91..9fff805f 100644 --- a/app/models/users.py +++ b/app/models/users.py @@ -114,6 +114,7 @@ class Permission(enum.Enum): EDIT_COLLECTION = "EDIT_COLLECTION" VIEW_COLLECTION = "VIEW_COLLECTION" CREATE_OAUTH_CLIENT = "CREATE_OAUTH_CLIENT" + SEE_REPORT = "SEE_REPORT" # Only return true if the permission is valid for *all* contexts # See Package.check_perm for package-specific contexts diff --git a/app/templates/threads/view.html b/app/templates/threads/view.html index d137c717..a87e8f9b 100644 --- a/app/templates/threads/view.html +++ b/app/templates/threads/view.html @@ -128,6 +128,11 @@ {% endif %} + {% set report = thread.report.first() %} + {% if report and report.check_perm(current_user, "SEE_REPORT") %} + View report page + {% endif %} + {% if thread.review and current_user == thread.package.author %} {% set flag %}