[extensions-web] auth: Actually change the correct user's name



commit ddee488055c0274c13677c5a8673c4991290d017
Author: Jasper St. Pierre <jstpierre mecheye net>
Date:   Mon May 20 23:08:23 2013 -0400

    auth: Actually change the correct user's name
    
    We were allowing admins to change all display names, but not
    actually setting the name on the correct user.

 .../auth/templates/registration/profile.html       |    2 +-
 sweettooth/auth/urls.py                            |    2 +-
 sweettooth/auth/views.py                           |   13 ++++++++-----
 sweettooth/static/js/main.js                       |    5 ++++-
 4 files changed, 14 insertions(+), 8 deletions(-)
---
diff --git a/sweettooth/auth/templates/registration/profile.html 
b/sweettooth/auth/templates/registration/profile.html
index 7287e2f..fecf0b7 100644
--- a/sweettooth/auth/templates/registration/profile.html
+++ b/sweettooth/auth/templates/registration/profile.html
@@ -5,7 +5,7 @@
 {% load gravatar %}
 <div class="profile">
   {% if is_editable %}
-  <h2 class="editable" id="new_display_name">{{ display_name }}</h2>
+  <h2 class="editable" data-pk="{{ user.pk }}" id="new_display_name">{{ display_name }}</h2>
   {% else %}
   <h2>{{ display_name }}</h2>
   {% endif %}
diff --git a/sweettooth/auth/urls.py b/sweettooth/auth/urls.py
index 948249e..8ba4f01 100644
--- a/sweettooth/auth/urls.py
+++ b/sweettooth/auth/urls.py
@@ -10,7 +10,7 @@ urlpatterns = patterns('',
         dict(template_name='registration/login.html',
              authentication_form=forms.AuthenticationForm), name='auth-login'),
 
-    url(r'^change_display_name', views.ajax_change_display_name),
+    url(r'^change_display_name/(?P<pk>\d+)', views.ajax_change_display_name),
 
     url(r'^logout/', logout,
         dict(next_page='/'), name='auth-logout'),
diff --git a/sweettooth/auth/views.py b/sweettooth/auth/views.py
index 4ba40f2..3a1ecc8 100644
--- a/sweettooth/auth/views.py
+++ b/sweettooth/auth/views.py
@@ -37,17 +37,20 @@ def profile(request, user):
 @ajax_view
 @require_POST
 @login_required
-def ajax_change_display_name(request):
+def ajax_change_display_name(request, pk):
     if request.POST['id'] != 'new_display_name':
         return HttpResponseForbidden()
 
-    if not request.user.is_authenticated():
+    userobj = get_object_or_404(models.User, pk=pk)
+    is_editable = (request.user == userobj) or request.user.has_perm('review.can-review-extensions')
+
+    if not is_editable:
         return HttpResponseForbidden()
 
     # display name is "%s %s" % (first_name, last_name). Change the first name.
-    request.user.first_name = request.POST['value']
-    request.user.save()
-    return request.POST['value']
+    userobj.first_name = request.POST['value']
+    userobj.save()
+    return userobj.first_name
 
 @login_required
 def profile_redirect(request):
diff --git a/sweettooth/static/js/main.js b/sweettooth/static/js/main.js
index 5ba1d4f..f424923 100644
--- a/sweettooth/static/js/main.js
+++ b/sweettooth/static/js/main.js
@@ -45,7 +45,10 @@ function($, messages, modal, hashParamUtils, templates) {
 
         $("time").timeago();
 
-        $("#new_display_name").csrfEditable('/accounts/change_display_name');
+        $("#new_display_name").each(function() {
+            var pk = $(this).data('pk');
+            $(this).csrfEditable('/accounts/change_display_name/' + pk);
+        });
 
         var $userPopupLink = $('#global_domain_bar .user');
         var $userPopup = $('#global_domain_bar .user_popup');


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]