From e6d4c7aaa84bb4faa19c95d86eb419589a13953a Mon Sep 17 00:00:00 2001
From: Alexey Bezhan <al@fueledbylemons.com>
Date: Thu, 28 Mar 2019 16:10:00 +0000
Subject: [PATCH] Don't link folders in the folder path if user doesn't have
 permission

This updates folder_path macro to not link to any folders that
the user doesn't have permission for.
---
 app/templates/components/folder-path.html       | 17 ++++++++++++++---
 app/templates/views/templates/choose-reply.html |  2 +-
 app/templates/views/templates/choose.html       |  1 +
 app/templates/views/templates/copy.html         |  2 +-
 .../views/templates/manage-template-folder.html |  1 +
 app/templates/views/templates/template.html     |  1 +
 6 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/app/templates/components/folder-path.html b/app/templates/components/folder-path.html
index 395b43e39..8d25b1b9a 100644
--- a/app/templates/components/folder-path.html
+++ b/app/templates/components/folder-path.html
@@ -2,6 +2,7 @@
   folders,
   service_id,
   template_type,
+  current_user,
   fallback_page_title=None,
   show_fallback_page_title=False,
   link_current_item=False
@@ -21,7 +22,11 @@
           {% endif %}
         {% else %}
           {% if folder.id %}
-            <a href="{{ url_for('.choose_template', service_id=service_id, template_type=template_type, template_folder_id=folder.id) }}" class="folder-heading-folder {% if loop.index < (loop.length - 1) %}folder-heading-folder-truncated{% endif %}" title="{{ folder.name }}">{{ folder.name }}</a>
+            {% if current_user.has_template_folder_permission(folder) %}
+              <a href="{{ url_for('.choose_template', service_id=service_id, template_type=template_type, template_folder_id=folder.id) }}" class="folder-heading-folder {% if loop.index < (loop.length - 1) %}folder-heading-folder-truncated{% endif %}" title="{{ folder.name }}">{{ folder.name }}</a>
+            {% else %}
+              <span class="folder-heading-folder">{{ folder.name }}</span>
+            {% endif %}
           {% else %}
             <a href="{{ url_for('.choose_template', service_id=service_id, template_type=template_type) }}" title="Templates" class="{% if loop.length > 2 %}folder-heading-folder-root-truncated{% endif %}">Templates</a>
           {% endif %}
@@ -36,7 +41,8 @@
 {% macro copy_folder_path(
   folder_path,
   current_service_id,
-  from_service
+  from_service,
+  current_user
 ) %}
   {% if folder_path %}
     <h2 class="heading-medium folder-heading">
@@ -51,7 +57,12 @@
           </span>
         {% else %}
           {% if folder.id %}
-            <a href="{{ url_for('.choose_template_to_copy', service_id=current_service_id, from_service=from_service.id, from_folder=folder.id) }}" class="folder-heading-folder">{{ folder.name }}</a> {% if not loop.last %}{{ folder_path_separator() }}{% endif %}
+            {% if current_user.has_template_folder_permission(folder) %}
+              <a href="{{ url_for('.choose_template_to_copy', service_id=current_service_id, from_service=from_service.id, from_folder=folder.id) }}" class="folder-heading-folder">{{ folder.name }}</a>
+             {% else %}
+              <span class="folder-heading-folder">{{ folder.name }}</span>
+            {% endif %}
+            {% if not loop.last %}{{ folder_path_separator() }}{% endif %}
           {% elif folder.parent_id == None %}
             <a href="{{ url_for('.choose_template_to_copy', service_id=current_service_id, from_service=from_service.id, from_folder=folder.id) }}" class="folder-heading-folder">{{ from_service.name }}</a> {% if not loop.last %}{{ folder_path_separator() }}{% endif %}
           {% else %}
diff --git a/app/templates/views/templates/choose-reply.html b/app/templates/views/templates/choose-reply.html
index 23b5a68bf..caf762338 100644
--- a/app/templates/views/templates/choose-reply.html
+++ b/app/templates/views/templates/choose-reply.html
@@ -14,7 +14,7 @@
 
 <div class="bottom-gutter-1-2">
   <h1 class="heading-large">Choose a template</h1>
-  {{ folder_path(template_folder_path, current_service.id, template_type) }}
+  {{ folder_path(template_folder_path, current_service.id, template_type, current_user) }}
 </div>
 
   {% if not templates_and_folders.templates_to_show %}
diff --git a/app/templates/views/templates/choose.html b/app/templates/views/templates/choose.html
index 8fe4a7e0c..4e0e22283 100644
--- a/app/templates/views/templates/choose.html
+++ b/app/templates/views/templates/choose.html
@@ -53,6 +53,7 @@
           folders=template_folder_path,
           service_id=current_service.id,
           template_type=template_type,
+          current_user=current_user,
           fallback_page_title=page_title,
           show_fallback_page_title=not current_service.all_template_folders
         ) }}
diff --git a/app/templates/views/templates/copy.html b/app/templates/views/templates/copy.html
index cadaf4059..22a5aee6e 100644
--- a/app/templates/views/templates/copy.html
+++ b/app/templates/views/templates/copy.html
@@ -11,7 +11,7 @@
 
     <div class="bottom-gutter-1-2">
       <h1 class="heading-large">Copy an existing template</h1>
-      {{ copy_folder_path(template_folder_path, current_service.id, from_service) }}
+      {{ copy_folder_path(template_folder_path, current_service.id, from_service, current_user) }}
     </div>
     {% if not services_templates_and_folders.templates_to_show %}
       <p class="template-list-empty">
diff --git a/app/templates/views/templates/manage-template-folder.html b/app/templates/views/templates/manage-template-folder.html
index 43dee3dad..457676a1b 100644
--- a/app/templates/views/templates/manage-template-folder.html
+++ b/app/templates/views/templates/manage-template-folder.html
@@ -17,6 +17,7 @@
         folders=template_folder_path,
         service_id=current_service.id,
         template_type='all',
+        current_user=current_user,
         link_current_item=True
       ) }}
     </div>
diff --git a/app/templates/views/templates/template.html b/app/templates/views/templates/template.html
index 00ace816e..e47e316e9 100644
--- a/app/templates/views/templates/template.html
+++ b/app/templates/views/templates/template.html
@@ -35,6 +35,7 @@
           folders=current_service.get_template_path(template._template),
           service_id=current_service.id,
           template_type='all',
+          current_user=current_user,
           fallback_page_title=template.name,
           show_fallback_page_title=not current_service.all_template_folders
         ) }}