Add extremely minimal ban tool (admin only)

This is very minimal and has some weird aspects, but at least it will let me be able to ban someone from my phone if it's necessary.
6 years ago · 888e2763f4
5 changed files with 57 additions and 0 deletions
--- a/tildes/tests/test_user.py
+++ b/tildes/tests/test_user.py
@ -134,3 +134,11 @@ def test_banned_user_no_message_permission():

    principals = principals_allowed_by_permission(banned_user, "message")
    assert not principals
+
+
+def test_only_admin_has_ban_permission():
+    """Ensure only admins have ban permissions."""
+    user = User("Test_User", "password")
+
+    principals = principals_allowed_by_permission(user, "ban")
+    assert principals == {"admin"}
--- a/tildes/tildes/models/user/user.py
+++ b/tildes/tildes/models/user/user.py
@ -198,6 +198,14 @@ class User(DatabaseModel):
        acl.append((Deny, self.user_id, "message"))
        acl.append((Allow, Authenticated, "message"))

+        # ban:
+        #  - admins can ban non-deleted users except themselves
+        if self.is_deleted:
+            acl.append((Deny, Everyone, "ban"))
+
+        acl.append((Deny, self.user_id, "ban"))  # required so users can't self-ban
+        acl.append((Allow, "admin", "ban"))
+
        # grant the user all other permissions on themself
        acl.append((Allow, self.user_id, ALL_PERMISSIONS))

--- a/tildes/tildes/routes.py
+++ b/tildes/tildes/routes.py
@ -152,6 +152,7 @@ def add_intercooler_routes(config: Configurator) -> None:
            "/default_listing_options",
            factory=user_by_username,
        )
+        add_ic_route("user_ban", "/ban", factory=user_by_username)


 class LoggedInFactory:
--- a/tildes/tildes/templates/user.jinja2
+++ b/tildes/tildes/templates/user.jinja2
@ -134,4 +134,20 @@
 {% if request.has_permission('message', user) %}
  <a href="/user/{{ user.username }}/new_message" class="btn btn-primary">Send a private message</a>
 {% endif %}
+
+{% if request.has_permission("ban", user) %}
+  <div class="divider"></div>
+  {% if user.is_banned %}
+    <button class="btn"
+      data-ic-delete-from="{{ request.route_url("ic_user_ban", username=user.username) }}"
+      data-ic-confirm="Unban user {{ user.username }}?"
+    >Unban user</button>
+  {% else %}
+    <button class="btn"
+      data-ic-put-to="{{ request.route_url("ic_user_ban", username=user.username) }}"
+      data-ic-confirm="Ban user {{ user.username }}?"
+    >Ban user</button>
+  {% endif %}
+{% endif %}
+
 {% endblock %}
--- a/tildes/tildes/views/api/web/user.py
+++ b/tildes/tildes/views/api/web/user.py
@ -329,3 +329,27 @@ def put_filtered_topic_tags(request: Request, tags: str) -> dict:
    request.user.filtered_topic_tags = result.data["tags"]

    return IC_NOOP
+
+
+@ic_view_config(route_name="user_ban", request_method="PUT", permission="ban")
+def put_user_ban(request: Request) -> Response:
+    """Ban a user."""
+    user = request.context
+
+    user.is_banned = True
+
+    # delete all of the user's outstanding invite codes
+    request.query(UserInviteCode).filter(
+        UserInviteCode.user_id == user.user_id,
+        UserInviteCode.invitee_id == None,  # noqa
+    ).delete(synchronize_session=False)
+
+    return Response("Banned")
+
+
+@ic_view_config(route_name="user_ban", request_method="DELETE", permission="ban")
+def delete_user_ban(request: Request) -> Response:
+    """Unban a user."""
+    request.context.is_banned = False
+
+    return Response("Unbanned")