From 71937f5c4dc246f27a05145ebb47d0d5d945d994 Mon Sep 17 00:00:00 2001
From: krek0 <kreko@posteo.net>
Date: Mon, 20 Apr 2026 22:56:05 +0200
Subject: [PATCH] Allow photo owners to delete their own photos

---
 .../static/lightgallery/plugins/admin/lg-admin.js      |  7 ++++++-
 photologue/templates/photologue/gallery_detail.html    |  3 ++-
 photologue/views.py                                    | 10 ++++++++--
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/photologue/static/lightgallery/plugins/admin/lg-admin.js b/photologue/static/lightgallery/plugins/admin/lg-admin.js
index 8b83e33..19b8ca4 100644
--- a/photologue/static/lightgallery/plugins/admin/lg-admin.js
+++ b/photologue/static/lightgallery/plugins/admin/lg-admin.js
@@ -11,6 +11,7 @@ class lgAdmin {
         this.core = instance;
         this.$LG = $LG;
         this.isStaff = document.querySelector('[name=is_staff]').value === "true";
+        this.userId = document.querySelector('[name=user_id]').value;
         this.csrfToken = document.querySelector('[name=csrfmiddlewaretoken]').value;
         this.photoId = 0;
         return this;
@@ -27,7 +28,7 @@ class lgAdmin {
 
         // Add button to delete photo
         this.core.$toolbar.append(`<a href="#" id="lg-delete" title="Remove this photo" class="lg-icon lg-bi-icon">${deleteIcon}</a>`);
-        document.getElementById("lg-delete").style.display = this.isStaff ? 'block' : 'none';
+        document.getElementById("lg-delete").style.display = 'none';
         document.getElementById("lg-delete").addEventListener('click', this.onDelete.bind(this));
 
         // Add button to report photo
@@ -41,6 +42,10 @@ class lgAdmin {
     onAfterSlide(event) {
         this.photoId = this.core.galleryItems[event.detail.index].slideName;
         document.getElementById("lg-admin").href = `/admin/photologue/photo/${this.photoId}/change/`;
+        const el = document.querySelector(`[data-slide-name='${this.photoId}']`);
+        const ownerId = el ? el.dataset.ownerId : null;
+        const canDelete = this.isStaff || (ownerId && ownerId === this.userId);
+        document.getElementById("lg-delete").style.display = canDelete ? 'block' : 'none';
     }
 
     // Event called when user click on delete button
diff --git a/photologue/templates/photologue/gallery_detail.html b/photologue/templates/photologue/gallery_detail.html
index c317ff2..9771b23 100644
--- a/photologue/templates/photologue/gallery_detail.html
+++ b/photologue/templates/photologue/gallery_detail.html
@@ -18,6 +18,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {# Javascript code fetches CSRF token from HTML #}
 {% csrf_token %}
 <input type="hidden" name="is_staff" value="{{ request.user.is_staff|yesno:'true,false' }}">
+<input type="hidden" name="user_id" value="{{ request.user.id }}">
 <script src="{% static 'lightgallery/lightgallery.min.js' %}"></script>
 <script src="{% static 'lightgallery/plugins/admin/lg-admin.js' %}"></script>
 <script src="{% static 'lightgallery/plugins/hash/lg-hash.min.js' %}"></script>
@@ -87,7 +88,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
     {% endif %}
     <div class="card-body row" id="lightgallery">
         {% for photo in photos %}
-        <a class="col-6 col-md-3 mb-2 text-center" href="{{ photo.get_absolute_url }}" data-src="{{ photo.get_display_url}}" data-download-url="{{ photo.image.url }}" data-slide-name="{{ photo.id }}">
+        <a class="col-6 col-md-3 mb-2 text-center" href="{{ photo.get_absolute_url }}" data-src="{{ photo.get_display_url}}" data-download-url="{{ photo.image.url }}" data-slide-name="{{ photo.id }}" data-owner-id="{{ photo.owner.id }}">
             <img src="{{ photo.get_thumbnail_url }}" loading="lazy" class="img-thumbnail p-0{% if not photo.is_public %} border-danger border-5{% endif %}" alt="{{ photo.title }}{% if photo.date_taken %} - {{ photo.date_taken|date }} {{ photo.date_taken|time }}{% endif %}{% if photo.owner.get_full_name %} - {{ photo.owner.get_full_name }}{% else %} - {{ photo.owner.username }}{% endif %}{% if photo.license %} - {{ photo.license }}{% endif %}{% if not photo.is_public %} - !PRIVATE!{% endif %}">
         </a>
         {% endfor %}
diff --git a/photologue/views.py b/photologue/views.py
index b0081f5..ba7eeea 100644
--- a/photologue/views.py
+++ b/photologue/views.py
@@ -77,9 +77,15 @@ class PhotoDetailView(LoginRequiredMixin, DetailView):
             return qs.filter(is_public=True)
 
 
-class PhotoDeleteView(PermissionRequiredMixin, DeleteView):
+class PhotoDeleteView(LoginRequiredMixin, DeleteView):
     model = Photo
-    permission_required = "photologue.delete_photo"
+
+    def get_object(self, queryset=None):
+        obj = super().get_object(queryset)
+        if obj.owner != self.request.user and not self.request.user.has_perm("photologue.delete_photo"):
+            from django.core.exceptions import PermissionDenied
+            raise PermissionDenied
+        return obj
 
     def get_success_url(self):
         galleries = self.object.galleries.all()