From 333a7ec5ec8543dc7f14ff72a609b5eab2002ff9 Mon Sep 17 00:00:00 2001
From: Feliciaan De Palmenaer <feliciaan@de-palmenaer.eu>
Date: Thu, 4 Jun 2015 19:13:09 +0200
Subject: [PATCH 1/2] spacing

---
 app/views/order.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/order.py b/app/views/order.py
index de92b92..301cbb5 100644
--- a/app/views/order.py
+++ b/app/views/order.py
@@ -63,6 +63,7 @@ def order_edit(id):
         return redirect(url_for('.order', id=order.id))
     return render_template('order_edit.html', form=orderForm, order_id=id)
 
+
 @order_bp.route('/<id>/create', methods=['POST'])
 def order_item_create(id):
     current_order = Order.query.filter(Order.id == id).first()
@@ -90,7 +91,6 @@ def order_item_create(id):
     return order(id, form=form)
 
 
-
 @order_bp.route('/<order_id>/<item_id>/delete')
 def delete_item(order_id, item_id):
     item = OrderItem.query.filter(OrderItem.id == item_id).first()

From 3d5f6ef1ae27a4662c07b2977065fbcd34189804 Mon Sep 17 00:00:00 2001
From: Feliciaan De Palmenaer <feliciaan@de-palmenaer.eu>
Date: Thu, 4 Jun 2015 21:36:57 +0200
Subject: [PATCH 2/2] Check if user is allowed to edit

---
 app/views/order.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/views/order.py b/app/views/order.py
index 301cbb5..e6f056b 100644
--- a/app/views/order.py
+++ b/app/views/order.py
@@ -53,6 +53,8 @@ def order(id, form=None):
 @login_required
 def order_edit(id):
     order = Order.query.filter(Order.id == id).first()
+    if current_user.id is not order.courrier_id and not current_user.is_admin():
+        abort(401)
     if order is None:
         abort(404)
     orderForm = OrderForm(obj=order)