Hide buttons for which user has no permission

2022-05-02 21:56:38 +02:00 · 2022-05-02 21:56:38 +02:00 · 85d8892176
parent c35d107502
commit 85d8892176
3 changed files with 21 additions and 11 deletions
--- a/app/models/order.py
+++ b/app/models/order.py
@ -114,3 +114,17 @@ class Order(db.Model):
        if self.courier_id == user_id or (user and user.is_admin()):
            return True
        return False
+
+    def can_modify_prices(self, user_id: int) -> bool:
+        if not self.is_closed():
+            return False
+        if user_id is None:
+            return False
+        if self.courier_id == user_id:
+            return True
+        user = User.query.filter_by(id=user_id).first()
+        return user and user.is_admin()
+
+    def can_modify_payment(self, user_id: int) -> bool:
+        user = User.query.filter_by(id=user_id).first()
+        return user and (user.is_admin() or user == self.order.courier)
--- a/app/templates/order.html
+++ b/app/templates/order.html
@ -290,9 +290,9 @@
 							{{ order_items | map(attribute="price") | sum | euro }}
 						</span>

-						{% if paid %}<span class="glyphicon glyphicon-ok"></span>{% endif %}
+						{% if paid %}<span class="glyphicon glyphicon-ok" style="opacity: 0.5"></span>{% endif %}
 					</td>
-					<td>{{ user_name }}</td>
+					<td style="{{ 'opacity: 0.5' if paid }}">{{ user_name }}</td>
 					<td class="items">
 						<ul>
 						{% for item in order_items %}
@ -325,11 +325,13 @@
 		</table>

 		<div class="footer">
+			{% if order.can_modify_payment(current_user.id) %}
 			On selected:
 			<button name="action" value="mark_paid" class="btn btn-sm"><span class="glyphicon glyphicon-ok"></span> Mark paid</button>
 			<button name="action" value="mark_unpaid" class="btn btn-sm">Mark unpaid</button>
+			{% endif %}

-			{% if order.is_closed() %}
+			{% if order.can_modify_prices(current_user.id) %}
 				&nbsp; <span style="border-left: 1px solid var(--gray0); display: inline-block;">&nbsp;</span>&nbsp;
 				<a href="{{ url_for('order_bp.prices', order_id=order.id) }}" class="btn btn-sm">
 					<span class="glyphicon glyphicon-pencil"></span>  Edit prices
--- a/app/views/order.py
+++ b/app/views/order.py
@ -330,14 +330,8 @@ def prices(order_id: int) -> typing.Optional[Response]:
    order = Order.query.filter(Order.id == order_id).first()
    if order is None:
        abort(404)
-    if (
-            current_user.is_anonymous() or
-            not (current_user.is_admin() or current_user.id == order.courier_id)
-    ):
-        flash("Only the courier can edit prices.", "error")
-        return redirect(url_for("order_bp.order_from_id", order_id=order_id))
-    if not order.is_closed():
-        flash("Cannot modify prices until the order is closed.", "error")
+    if not order.can_modify_prices(current_user.id):
+        flash("You cannot modify the prices at this time.", "error")
        return redirect(url_for("order_bp.order_from_id", order_id=order_id))

    if request.method == "GET":