limit admin user editing power #116

2025-01-23 19:36:56 -08:00 · 2024-03-23 07:08:28 +13:00 · 2024-03-23 07:08:28 +13:00 · c374f65a27
commit c374f65a27
parent 2e2406c0d6
3 changed files with 22 additions and 71 deletions
--- a/app/admin/forms.py
+++ b/app/admin/forms.py
@ -167,26 +167,16 @@ class AddUserForm(FlaskForm):


 class EditUserForm(FlaskForm):
-    about = TextAreaField(_l('Bio'), validators=[Optional(), Length(min=3, max=5000)])
-    email = StringField(_l('Email address'), validators=[Optional(), Length(max=255)])
-    matrix_user_id = StringField(_l('Matrix User ID'), validators=[Optional(), Length(max=255)])
-    profile_file = FileField(_l('Avatar image'))
-    banner_file = FileField(_l('Top banner image'))
    bot = BooleanField(_l('This profile is a bot'))
    verified = BooleanField(_l('Email address is verified'))
    banned = BooleanField(_l('Banned'))
-    newsletter = BooleanField(_l('Subscribe to email newsletter'))
-    ignore_bots = BooleanField(_l('Hide posts by bots'))
-    nsfw = BooleanField(_l('Show NSFW posts'))
-    nsfl = BooleanField(_l('Show NSFL posts'))
-    searchable = BooleanField(_l('Show profile in user list'))
-    indexable = BooleanField(_l('Allow search engines to index this profile'))
-    manually_approves_followers = BooleanField(_l('Manually approve followers'))
    role_options = [(2, _l('User')),
               (3, _l('Staff')),
               (4, _l('Admin')),
               ]
    role = SelectField(_l('Role'), choices=role_options, default=2, coerce=int)
+    remove_avatar = BooleanField(_l('Remove avatar'))
+    remove_banner = BooleanField(_l('Remove banner'))
    submit = SubmitField(_l('Save'))


--- a/app/admin/routes.py
+++ b/app/admin/routes.py
@ -535,46 +535,20 @@ def admin_user_edit(user_id):
    form = EditUserForm()
    user = User.query.get_or_404(user_id)
    if form.validate_on_submit():
-        user.about = form.about.data
-        user.email = form.email.data
-        user.about_html = markdown_to_html(form.about.data)
-        user.matrix_user_id = form.matrix_user_id.data
        user.bot = form.bot.data
        user.verified = form.verified.data
        user.banned = form.banned.data
-        profile_file = request.files['profile_file']
-        if profile_file and profile_file.filename != '':
-            # remove old avatar
-            if user.avatar_id:
-                file = File.query.get(user.avatar_id)
-                file.delete_from_disk()
-                user.avatar_id = None
-                db.session.delete(file)
+        if form.remove_avatar.data and user.avatar_id:
+            file = File.query.get(user.avatar_id)
+            file.delete_from_disk()
+            user.avatar_id = None
+            db.session.delete(file)

-            # add new avatar
-            file = save_icon_file(profile_file, 'users')
-            if file:
-                user.avatar = file
-        banner_file = request.files['banner_file']
-        if banner_file and banner_file.filename != '':
-            # remove old cover
-            if user.cover_id:
-                file = File.query.get(user.cover_id)
-                file.delete_from_disk()
-                user.cover_id = None
-                db.session.delete(file)
-
-            # add new cover
-            file = save_banner_file(banner_file, 'users')
-            if file:
-                user.cover = file
-        user.newsletter = form.newsletter.data
-        user.ignore_bots = form.ignore_bots.data
-        user.show_nsfw = form.nsfw.data
-        user.show_nsfl = form.nsfl.data
-        user.searchable = form.searchable.data
-        user.indexable = form.indexable.data
-        user.ap_manually_approves_followers = form.manually_approves_followers.data
+        if form.remove_banner.data and user.cover_id:
+            file = File.query.get(user.cover_id)
+            file.delete_from_disk()
+            user.cover_id = None
+            db.session.delete(file)

        # Update user roles. The UI only lets the user choose 1 role but the DB structure allows for multiple roles per user.
        db.session.execute(text('DELETE FROM user_role WHERE user_id = :user_id'), {'user_id': user.id})
@ -589,19 +563,9 @@ def admin_user_edit(user_id):
    else:
        if not user.is_local():
            flash(_('This is a remote user - most settings here will be regularly overwritten with data from the original server.'), 'warning')
-        form.about.data = user.about
-        form.email.data = user.email
-        form.matrix_user_id.data = user.matrix_user_id
-        form.newsletter.data = user.newsletter
        form.bot.data = user.bot
        form.verified.data = user.verified
        form.banned.data = user.banned
-        form.ignore_bots.data = user.ignore_bots
-        form.nsfw.data = user.show_nsfw
-        form.nsfl.data = user.show_nsfl
-        form.searchable.data = user.searchable
-        form.indexable.data = user.indexable
-        form.manually_approves_followers.data = user.ap_manually_approves_followers
        if user.roles and user.roles.count() > 0:
            form.role.data = user.roles[0].id

--- a/app/templates/admin/edit_user.html
+++ b/app/templates/admin/edit_user.html
@ -17,29 +17,26 @@
        <h3>{{ _('Edit %(user_name)s (%(display_name)s)', user_name=user.user_name, display_name=user.display_name()) }}</h3>
        <form method="post" enctype="multipart/form-data" id="add_local_user_form">
            {{ form.csrf_token() }}
-            {{ render_field(form.about) }}
-            {{ render_field(form.email) }}
-            {{ render_field(form.matrix_user_id) }}
+            {{ user.about_html|safe if user.about_html }}
+            <p>Email: <a href="mailto:{{ user.email }}">{{ user.email }}</a></p>
+            <p>Matrix: {{ user.matrix_user_id if user.matrix_user_id }}</p>
            {% if user.avatar_id %}
                <img class="user_icon_big rounded-circle" src="{{ user.avatar_image() }}" width="120" height="120" />
            {% endif %}
-            {{ render_field(form.profile_file) }}
-            <small class="field_hint">Provide a square image that looks good when small.</small>
            {% if user.cover_id %}
                <a href="{{ user.cover_image() }}"><img class="user_icon_big" src="{{ user.cover_image() }}" style="width: 300px; height: auto;" /></a>
            {% endif %}
-            {{ render_field(form.banner_file) }}
-            <small class="field_hint">Provide a wide image - letterbox orientation.</small>
            {{ render_field(form.bot) }}
            {{ render_field(form.verified) }}
            {{ render_field(form.banned) }}
-            {{ render_field(form.newsletter) }}
-            {{ render_field(form.nsfw) }}
-            {{ render_field(form.nsfl) }}
-            {{ render_field(form.searchable) }}
-            {{ render_field(form.indexable) }}
-            {{ render_field(form.manually_approves_followers) }}
+            <p>receive newsletter: {{ user.newsletter }}</p>
+            <p>view nsfw: {{ user.nsfw }}</p>
+            <p>view nsfl: {{ user.nsfl }}</p>
+            <p>searchable: {{ user.searchable }}</p>
+            <p>indexable: {{ user.indexable }}</p>
            {{ render_field(form.role) }}
+            {{ render_field(form.remove_avatar) }}
+            {{ render_field(form.remove_banner) }}
            {{ render_field(form.submit) }}
        </form>
        <p class="mt-4">