From: Patrick Samson <pk.samson@gmail.com>
Date: Tue, 14 Aug 2012 22:28:06 +0000 (+0200)
Subject: Delete, Undelete or Archive actions on a thread must not affect non accepted received... 
X-Git-Tag: 2.0.0~2
X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=f5c9612fdc4d89ba24b05efb7bf3e3eab50a9d8c;p=django-postman.git

Delete, Undelete or Archive actions on a thread must not affect non accepted received messages
---

diff --git a/postman/models.py b/postman/models.py
index a5e3a8f..5174af5 100644
--- a/postman/models.py
+++ b/postman/models.py
@@ -174,6 +174,18 @@ class MessageManager(models.Manager):
             (models.Q(recipient=user) & models.Q(moderation_status=STATUS_ACCEPTED)) | models.Q(sender=user),
         ).order_by('sent_at')
 
+    def as_recipient(self, user, filter):
+        """
+        Return messages matching a filter AND being visible to a user as the recipient.
+        """
+        return self.filter(filter, recipient=user, moderation_status=STATUS_ACCEPTED)
+
+    def as_sender(self, user, filter):
+        """
+        Return messages matching a filter AND being visible to a user as the sender.
+        """
+        return self.filter(filter, sender=user) # any status is fine
+
     def perms(self, user):
         """
         Return a field-lookups filter as a permission controller for a reply request.
diff --git a/postman/views.py b/postman/views.py
index fc66386..12ba197 100644
--- a/postman/views.py
+++ b/postman/views.py
@@ -270,10 +270,10 @@ def _update(request, field_bit, success_msg, field_value=None, success_url=None)
     pks = request.POST.getlist('pks')
     tpks = request.POST.getlist('tpks')
     if pks or tpks:
-        queryset = Message.objects.filter(Q(pk__in=pks) | Q(thread__in=tpks))
         user = request.user
-        recipient_rows = queryset.filter(recipient=user).update(**{'recipient_{0}'.format(field_bit): field_value})
-        sender_rows = queryset.filter(sender=user).update(**{'sender_{0}'.format(field_bit): field_value})
+        filter = Q(pk__in=pks) | Q(thread__in=tpks)
+        recipient_rows = Message.objects.as_recipient(user, filter).update(**{'recipient_{0}'.format(field_bit): field_value})
+        sender_rows = Message.objects.as_sender(user, filter).update(**{'sender_{0}'.format(field_bit): field_value})
         if not (recipient_rows or sender_rows):
             raise Http404 # abnormal enough, like forged ids
         messages.success(request, success_msg, fail_silently=True)