always return 403 to POST requests

- POST requests need to receive a 403 error code
- minor wording updates

bookwyrm/templates/403.html

@@ -8,8 +8,8 @@
 <div class="block">
     <h1 class="title">{% trans "Permission Denied" %}</h1>
     {% blocktrans trimmed with level=request.user|get_user_permission %}
-    <p class="content">You do not have permission to view this page. Your user permission level is <code>{{ level }}</code>.</p>
-    <p class="content">If you think you should have access to this page, please speak to your BookWyrm server administrator.</p>
+    <p class="content">You do not have permission to view this page or perform this action. Your user permission level is <code>{{ level }}</code>.</p>
+    <p class="content">If you think you should have access, please speak to your BookWyrm server administrator.</p>
     {% endblocktrans %}
 </div>
 {% endblock %}

bookwyrm/templatetags/utilities.py

@@ -131,4 +131,4 @@ def id_to_username(user_id):
 def get_user_permission(user):
     """given a user, return their permission level"""
 
-    return user.groups.first() if user.groups.first() else "User"
+    return user.groups.first() or "User"

bookwyrm/views/permission_denied.py

@@ -1,8 +1,15 @@
 """custom 403 handler to enable context processors"""
+
+from django.http import HttpResponse
 from django.template.response import TemplateResponse
 
+from .helpers import is_api_request
+
 
 def permission_denied(request, exception):  # pylint: disable=unused-argument
     """permission denied page"""
 
+    if request.method == "POST" or is_api_request(request):
+        return HttpResponse(status=403)
+
     return TemplateResponse(request, "403.html")