Ensure colorbars can't escape their containers. #352

[zzz-spline-users.git] / splinext / users / controllers / users.py

diff --git a/splinext/users/controllers/users.py b/splinext/users/controllers/users.py
index dac037b..4f46179 100644 (file)
--- a/splinext/users/controllers/users.py
+++ b/splinext/users/controllers/users.py
@@ -4,7 +4,8 @@ import unicodedata
 from wtforms import Form, ValidationError, fields, validators, widgets
 
 from pylons import config, request, response, session, tmpl_context as c, url
-from pylons.controllers.util import abort, redirect_to
+from pylons.controllers.util import abort, redirect
+from pylons.decorators.secure import authenticate_form
 from routes import request_config
 from sqlalchemy.orm.exc import NoResultFound
 
@@ -73,7 +74,24 @@ class UsersController(BaseController):
             name=c.page_user.name,
         )
 
-        if request.method != 'POST' or not c.form.validate():
+        return render('/users/profile_edit.mako')
+
+    @authenticate_form
+    def profile_edit_commit(self, id, name=None):
+        """Save profile changes."""
+        c.page_user = meta.Session.query(users_model.User).get(id)
+        if not c.page_user:
+            abort(404)
+
+        # XXX could use some real permissions
+        if c.page_user != c.user:
+            abort(403)
+
+        c.form = ProfileEditForm(request.params,
+            name=c.page_user.name,
+        )
+
+        if not c.form.validate():
             return render('/users/profile_edit.mako')
 
 
@@ -84,6 +102,8 @@ class UsersController(BaseController):
 
         h.flash('Saved your profile.', icon='tick')
 
-        redirect_to(controller='users', action='profile',
-                    id=c.page_user.id, name=c.page_user.name,
-                    _code=303)
+        redirect(
+            url(controller='users', action='profile',
+                id=c.page_user.id, name=c.page_user.name),
+            code=303,
+        )