Allow editors and approvers to see package audit log descriptions

2025-01-08 22:17:34 +01:00 · 2023-05-12 00:55:44 +01:00 · 2023-05-12 00:55:44 +01:00 · f03746f5ad
commit f03746f5ad
parent 84d379d490
4 changed files with 24 additions and 4 deletions
--- a/app/blueprints/admin/audit.py
+++ b/app/blueprints/admin/audit.py
@ -15,7 +15,9 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

 from flask import render_template, request, abort
-from app.models import db, AuditLogEntry, UserRank, User
+from flask_login import current_user, login_required
+
+from app.models import db, AuditLogEntry, UserRank, User, Permission
 from app.utils import rank_required, get_int_or_abort

 from . import bp
@ -40,7 +42,10 @@ def audit():


@bp.route("/admin/audit/<int:id_>/")
-@rank_required(UserRank.MODERATOR)
+@login_required
 def audit_view(id_):
-	entry = AuditLogEntry.query.get(id_)
+	entry: AuditLogEntry = AuditLogEntry.query.get_or_404(id_)
+	if not entry.checkPerm(current_user, Permission.VIEW_AUDIT_DESCRIPTION):
+		abort(403)
+
 	return render_template("admin/audit_view.html", entry=entry)
--- a/app/models/init.py
+++ b/app/models/init.py
@ -106,6 +106,20 @@ class AuditLogEntry(db.Model):
 		self.package  = package
 		self.description = description

+	def checkPerm(self, user, perm):
+		if not user.is_authenticated:
+			return False
+
+		if type(perm) == str:
+			perm = Permission[perm]
+		elif type(perm) != Permission:
+			raise Exception("Unknown permission given to AuditLogEntry.checkPerm()")
+
+		if perm == Permission.VIEW_AUDIT_DESCRIPTION:
+			return user.rank.atLeast(UserRank.APPROVER if self.package is not None else UserRank.MODERATOR)
+		else:
+			raise Exception("Permission {} is not related to audit log entries".format(perm.name))
+

 REPO_BLACKLIST = [".zip", "mediafire.com", "dropbox.com", "weebly.com",
 	"minetest.net", "dropboxusercontent.com", "4shared.com",
--- a/app/models/users.py
+++ b/app/models/users.py
@ -90,6 +90,7 @@ class Permission(enum.Enum):
 	DELETE_REVIEW      = "DELETE_REVIEW"
 	CHANGE_PROFILE_URLS = "CHANGE_PROFILE_URLS"
 	CHANGE_DISPLAY_NAME = "CHANGE_DISPLAY_NAME"
+	VIEW_AUDIT_DESCRIPTION = "VIEW_AUDIT_DESCRIPTION"

 	# Only return true if the permission is valid for *all* contexts
 	# See Package.checkPerm for package-specific contexts
--- a/app/templates/macros/audit_log.html
+++ b/app/templates/macros/audit_log.html
@ -2,7 +2,7 @@
 	<div class="list-group mt-3">
 		{% for entry in log %}
 			<a class="list-group-item list-group-item-action"
-				{% if entry.description and current_user.rank.atLeast(current_user.rank.MODERATOR) %}
+				{% if entry.description and entry.checkPerm(current_user, 'VIEW_AUDIT_DESCRIPTION') %}
 					href="{{ url_for('admin.audit_view', id_=entry.id) }}">
 				{% else %}
 					href="{{ entry.url }}">