From 1d02164e7c7c23bb6194d73aeddd215f0e638293 Mon Sep 17 00:00:00 2001
From: hernani <hernani@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Date: Thu, 13 May 2010 22:10:07 +0000
Subject: [PATCH] Fix OSQA 33, allow users to see profile just as users see
 their own.

git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@267 0cfe37f9-358a-4d5e-be75-b63607b5c754
---
 forum/skins/default/templates/users/edit.html | 10 +++++-----
 forum/skins/default/templates/users/info.html |  8 ++++----
 forum/skins/default/templates/users/tabs.html |  8 ++++----
 forum/urls.py                                 |  2 +-
 forum/views/auth.py                           | 19 +++++++++----------
 forum/views/users.py                          |  8 +++++---
 6 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/forum/skins/default/templates/users/edit.html b/forum/skins/default/templates/users/edit.html
index bdd0921..e21bf32 100644
--- a/forum/skins/default/templates/users/edit.html
+++ b/forum/skins/default/templates/users/edit.html
@@ -30,13 +30,13 @@
 {% endblock %}
 {% block content %}
 <div id="main-bar" class="headNormal">
-    {{ request.user.username }} - {% trans "edit profile" %}
+    {{ user.username }} - {% trans "edit profile" %}
 </div>
 <div id="main-body" style="width:100%;padding-top:10px">
-    <form name="" action="{% url edit_user request.user.id %}" method="post">
+    <form name="" action="{% url edit_user user.id %}" method="post">
         <div id="left" style="float:left;width:180px">
-            {% if request.user.email %}
-            {% gravatar request.user 128 %}
+            {% if user.email %}
+            {% gravatar user 128 %}
             {% else %}
             <img src="{% media  "/media/images/nophoto.png" %}">
             {% endif %}
@@ -59,7 +59,7 @@
 	            	{% if form.username %}
 	            	    {{ form.username }} <span class="form-error"></span> {{ form.username.errors }}
 	            	{% else %}
-	            	    {{ request.user.username }}
+	            	    {{ user.username }}
 	            	{% endif %}
 	            	</td>
 	            </tr>
diff --git a/forum/skins/default/templates/users/info.html b/forum/skins/default/templates/users/info.html
index 38cab07..728e7b3 100644
--- a/forum/skins/default/templates/users/info.html
+++ b/forum/skins/default/templates/users/info.html
@@ -35,17 +35,17 @@
                     </td>
                 </tr>
                 {% endif %}
-                {% ifequal request.user view_user %}
+                {% if can_view_private %}
                 <tr>
                     <td class="user-profile-tool-links" align="left" colspan="2">
                         {% joinitems using ' | ' %}
-                            <span class="user-edit-link"><a href="{% url users %}{{ view_user.id }}/{% trans "edit/" %}">{% trans "update profile" %}</a></span>
+                            <span class="user-edit-link"><a href="{% url edit_user id=view_user.id %}">{% trans "update profile" %}</a></span>
                         {% separator %}
-                            <a href="{% url user_authsettings %}">authentication settings</a>
+                            <a href="{% url user_authsettings id=view_user.id %}">authentication settings</a>
                         {% endjoinitems %}
                     </td>
                 </tr>  
-                {% endifequal %}
+                {% endif %}
                 <tr>
                     <th colspan="2" align="left"><h3>{% trans "Registered user" %}</h3></th>
                 </tr>
diff --git a/forum/skins/default/templates/users/tabs.html b/forum/skins/default/templates/users/tabs.html
index 0e0bfb0..78d0c33 100644
--- a/forum/skins/default/templates/users/tabs.html
+++ b/forum/skins/default/templates/users/tabs.html
@@ -10,18 +10,18 @@
         <a id="reputation" {% ifequal tab_name "reputation" %}class="on"{% endifequal %}
 			title="{% trans "graph of user reputation" %}" 
 			href="{% url user_reputation id=view_user.id,slug=user_slug %}">{% trans "reputation history" %}</a>
-        {% ifequal request.user view_user %}
+        {% if can_view_private %}
         <a id="votes" {% ifequal tab_name "votes" %}class="on"{% endifequal %} 
 			title="{% trans "user vote record" %}" href="{% url user_votes id=view_user.id,slug=user_slug %}">{% trans "casted votes" %}</a>
-        {% endifequal %}
+        {% endif %}
         <a id="favorites" {% ifequal tab_name "favorites" %}class="on"{% endifequal %} 
 			title="{% trans "questions that user selected as his/her favorite" %}"
 			href="{% url user_favorites id=view_user.id,slug=user_slug %}">{% trans "favorites" %}</a>
-        {% ifequal request.user view_user %}
+        {% if can_view_private %}
         <a id="email_subscriptions" {% ifequal tab_name "subscriptions" %}class="on"{% endifequal %} 
 			title="{% trans "email subscription settings" %}" 
 			href="{% url user_subscriptions id=view_user.id,slug=user_slug %}">{% trans "subscriptions" %}</a>
-        {% endifequal %}  
+        {% endif %}  
     </div>
 </div>
 {% endwith %}
diff --git a/forum/urls.py b/forum/urls.py
index d6f320a..0d47127 100644
--- a/forum/urls.py
+++ b/forum/urls.py
@@ -122,7 +122,7 @@ urlpatterns += patterns('',
     url(r'^%s%s(?P<user>\d+)/(?P<code>.+)/$' % (_('account/'), _('validate/')),  app.auth.validate_email, name="auth_validate_email"),
     url(r'^%s%s$' % (_('account/'), _('tempsignin/')),  app.auth.request_temp_login, name="auth_request_tempsignin"),
     url(r'^%s%s(?P<user>\d+)/(?P<code>.+)/$' % (_('account/'), _('tempsignin/')),  app.auth.temp_signin, name="auth_tempsignin"),
-    url(r'^%s%s$' % (_('account/'), _('authsettings/')), app.auth.auth_settings, name='user_authsettings'),
+    url(r'^%s(?P<id>\d+)/%s$' % (_('account/'), _('authsettings/')), app.auth.auth_settings, name='user_authsettings'),
     url(r'^%s%s(?P<id>\d+)/%s$' % (_('account/'), _('providers/'),  _('remove/')), app.auth.remove_external_provider, name='user_remove_external_provider'),
     url(r'^%s%s%s$' % (_('account/'), _('providers/'),  _('add/')), app.auth.signin_page, name='user_add_external_provider'),
 
diff --git a/forum/views/auth.py b/forum/views/auth.py
index e3c1e6c..55e7361 100644
--- a/forum/views/auth.py
+++ b/forum/views/auth.py
@@ -259,14 +259,12 @@ def validate_email(request, user, code):
         raise Http404()
 
 @login_required
-def auth_settings(request):
-    """
-    change password view.
+def auth_settings(request, id):
+    user_ = get_object_or_404(User, id=id)
+
+    if not (request.user.is_superuser or request.user == user_):
+        return HttpResponseForbidden()
 
-    url : /changepw/
-    template: authopenid/changepw.html
-    """
-    user_ = request.user
     auth_keys = user_.auth_keys.all()
 
     if user_.has_usable_password():
@@ -285,7 +283,7 @@ def auth_settings(request):
                 
             user_.set_password(form.cleaned_data['password1'])
             user_.save()
-            return HttpResponseRedirect(reverse('user_authsettings'))
+            return HttpResponseRedirect(reverse('user_authsettings', kwargs={'id': user_.id}))
     
     form = FormClass(user=user_)
 
@@ -313,11 +311,12 @@ def auth_settings(request):
 
 def remove_external_provider(request, id):
     association = get_object_or_404(AuthKeyUserAssociation, id=id)
-    if not association.user == request.user:
+    if not (request.user.is_superuser or request.user == association.user):
         return HttpResponseForbidden()
+
     request.user.message_set.create(message=_("You removed the association with %s") % association.provider)
     association.delete()
-    return HttpResponseRedirect(reverse('user_authsettings'))
+    return HttpResponseRedirect(reverse('user_authsettings', kwargs={'id': association.user.id}))
 
 def newquestion_signin_action(user):
     question = Question.objects.filter(author=user).order_by('-added_at')[0]
diff --git a/forum/views/users.py b/forum/views/users.py
index fe7d7ec..0f1c372 100644
--- a/forum/views/users.py
+++ b/forum/views/users.py
@@ -82,8 +82,8 @@ def set_new_email(user, new_email, nomessage=False):
 @login_required
 def edit_user(request, id):
     user = get_object_or_404(User, id=id)
-    if request.user != user:
-        raise Http404
+    if not (request.user.is_superuser or request.user == user):
+        return HttpResponseForbidden()
     if request.method == "POST":
         form = EditUserForm(user, request.POST)
         if form.is_valid():
@@ -108,6 +108,7 @@ def edit_user(request, id):
     else:
         form = EditUserForm(user)
     return render_to_response('users/edit.html', {
+                                                'user': user,
                                                 'form' : form,
                                                 'gravatar_faq_url' : reverse('faq') + '#gravatar',
                                     }, context_instance=RequestContext(request))
@@ -118,7 +119,7 @@ def user_view(template, tab_name, tab_description, page_title, private=False):
     def decorator(fn):
         def decorated(request, id, slug=None):
             user = get_object_or_404(User, id=id)
-            if private and not user == request.user:
+            if private and not (user == request.user or request.user.is_superuser):
                 return HttpResponseForbidden()
             context = fn(request, user)
 
@@ -128,6 +129,7 @@ def user_view(template, tab_name, tab_description, page_title, private=False):
                 "tab_name" : tab_name,
                 "tab_description" : tab_description,
                 "page_title" : rev_page_title,
+                "can_view_private": (user == request.user) or request.user.is_superuser
             })
             return render_to_response(template, context, context_instance=RequestContext(request))
         return decorated
-- 
2.45.2