diff --git a/tildes/tests/test_comment.py b/tildes/tests/test_comment.py index 24b057f..d1f575d 100644 --- a/tildes/tests/test_comment.py +++ b/tildes/tests/test_comment.py @@ -83,10 +83,10 @@ def test_deleted_comment_permissions_removed(comment): def test_removed_comment_view_permission(comment): - """Ensure a removed comment can only be viewed by its author and admins.""" + """Ensure a removed comment can only be viewed by certain users.""" comment.is_removed = True principals = principals_allowed_by_permission(comment, "view") - assert principals == {"admin", comment.user_id} + assert principals == {"admin", comment.user_id, "comment.remove"} def test_edit_grace_period(comment): diff --git a/tildes/tests/test_topic_permissions.py b/tildes/tests/test_topic_permissions.py index 5663f33..24411ea 100644 --- a/tildes/tests/test_topic_permissions.py +++ b/tildes/tests/test_topic_permissions.py @@ -46,10 +46,10 @@ def test_topic_view_author_permission(text_topic): def test_removed_topic_view_author_permission(topic): - """Ensure only admins and the author can view a removed topic's author.""" + """Ensure only a removed topic's author can only be viewed by certain users.""" topic.is_removed = True principals = principals_allowed_by_permission(topic, "view_author") - assert principals == {"admin", topic.user_id} + assert principals == {"admin", topic.user_id, "topic.remove"} def test_topic_view_content_permission(text_topic): @@ -59,10 +59,10 @@ def test_topic_view_content_permission(text_topic): def test_removed_topic_view_content_permission(topic): - """Ensure only admins and the author can view a removed topic's content.""" + """Ensure a removed topic's content can only be viewed by certain users.""" topic.is_removed = True principals = principals_allowed_by_permission(topic, "view_content") - assert principals == {"admin", topic.user_id} + assert principals == {"admin", topic.user_id, "topic.remove"} def test_topic_comment_permission(text_topic): diff --git a/tildes/tildes/models/comment/comment.py b/tildes/tildes/models/comment/comment.py index cf11c9f..0044404 100644 --- a/tildes/tildes/models/comment/comment.py +++ b/tildes/tildes/models/comment/comment.py @@ -147,11 +147,13 @@ class Comment(DatabaseModel): acl.append(DENY_ALL) # view: - # - removed comments can only be viewed by admins and the author + # - removed comments can only be viewed by admins, the author, and users with + # remove permission # - otherwise, everyone can view if self.is_removed: acl.append((Allow, "admin", "view")) acl.append((Allow, self.user_id, "view")) + acl.append((Allow, "comment.remove", "view")) acl.append((Deny, Everyone, "view")) acl.append((Allow, Everyone, "view")) @@ -209,6 +211,8 @@ class Comment(DatabaseModel): # tools that require specifically granted permissions acl.append((Allow, "admin", "remove")) + acl.append((Allow, "comment.remove", "remove")) + acl.append((Allow, "admin", "view_labels")) acl.append(DENY_ALL) diff --git a/tildes/tildes/models/topic/topic.py b/tildes/tildes/models/topic/topic.py index 58b4c8c..fb926be 100644 --- a/tildes/tildes/models/topic/topic.py +++ b/tildes/tildes/models/topic/topic.py @@ -230,21 +230,25 @@ class Topic(DatabaseModel): acl.append((Allow, Everyone, "view")) # view_author: - # - removed topics' author is only visible to the author and admins + # - removed topics' author is only visible to the author, admins, and users + # with remove permission # - otherwise, everyone can view the author if self.is_removed: acl.append((Allow, "admin", "view_author")) acl.append((Allow, self.user_id, "view_author")) + acl.append((Allow, "topic.remove", "view_author")) acl.append((Deny, Everyone, "view_author")) acl.append((Allow, Everyone, "view_author")) # view_content: - # - removed topics' content is only visible to the author and admins + # - removed topics' content is only visible to the author, admins and users + # with remove permissions # - otherwise, everyone can view the content if self.is_removed: acl.append((Allow, "admin", "view_content")) acl.append((Allow, self.user_id, "view_content")) + acl.append((Allow, "topic.remove", "view_content")) acl.append((Deny, Everyone, "view_content")) acl.append((Allow, Everyone, "view_content")) @@ -289,8 +293,10 @@ class Topic(DatabaseModel): # tools that require specifically granted permissions acl.append((Allow, "admin", "lock")) + acl.append((Allow, "topic.lock", "lock")) acl.append((Allow, "admin", "remove")) + acl.append((Allow, "topic.remove", "remove")) acl.append((Allow, "admin", "move")) acl.append((Allow, "topic.move", "move"))