Hide buttons for which user has no permission

This commit is contained in:
Midgard 2022-05-02 21:56:38 +02:00
parent c35d107502
commit 85d8892176
Signed by: midgard
GPG key ID: 511C112F1331BBB4
3 changed files with 21 additions and 11 deletions

View file

@ -114,3 +114,17 @@ class Order(db.Model):
if self.courier_id == user_id or (user and user.is_admin()):
return True
return False
def can_modify_prices(self, user_id: int) -> bool:
if not self.is_closed():
return False
if user_id is None:
return False
if self.courier_id == user_id:
return True
user = User.query.filter_by(id=user_id).first()
return user and user.is_admin()
def can_modify_payment(self, user_id: int) -> bool:
user = User.query.filter_by(id=user_id).first()
return user and (user.is_admin() or user == self.order.courier)

View file

@ -290,9 +290,9 @@
{{ order_items | map(attribute="price") | sum | euro }}
</span>
{% if paid %}<span class="glyphicon glyphicon-ok"></span>{% endif %}
{% if paid %}<span class="glyphicon glyphicon-ok" style="opacity: 0.5"></span>{% endif %}
</td>
<td>{{ user_name }}</td>
<td style="{{ 'opacity: 0.5' if paid }}">{{ user_name }}</td>
<td class="items">
<ul>
{% for item in order_items %}
@ -325,11 +325,13 @@
</table>
<div class="footer">
{% if order.can_modify_payment(current_user.id) %}
On selected:
<button name="action" value="mark_paid" class="btn btn-sm"><span class="glyphicon glyphicon-ok"></span> Mark paid</button>
<button name="action" value="mark_unpaid" class="btn btn-sm">Mark unpaid</button>
{% endif %}
{% if order.is_closed() %}
{% if order.can_modify_prices(current_user.id) %}
&nbsp; <span style="border-left: 1px solid var(--gray0); display: inline-block;">&nbsp;</span>&nbsp;
<a href="{{ url_for('order_bp.prices', order_id=order.id) }}" class="btn btn-sm">
<span class="glyphicon glyphicon-pencil"></span> Edit prices

View file

@ -330,14 +330,8 @@ def prices(order_id: int) -> typing.Optional[Response]:
order = Order.query.filter(Order.id == order_id).first()
if order is None:
abort(404)
if (
current_user.is_anonymous() or
not (current_user.is_admin() or current_user.id == order.courier_id)
):
flash("Only the courier can edit prices.", "error")
return redirect(url_for("order_bp.order_from_id", order_id=order_id))
if not order.is_closed():
flash("Cannot modify prices until the order is closed.", "error")
if not order.can_modify_prices(current_user.id):
flash("You cannot modify the prices at this time.", "error")
return redirect(url_for("order_bp.order_from_id", order_id=order_id))
if request.method == "GET":