Hide buttons for which user has no permission
This commit is contained in:
parent
c35d107502
commit
85d8892176
3 changed files with 21 additions and 11 deletions
|
@ -114,3 +114,17 @@ class Order(db.Model):
|
||||||
if self.courier_id == user_id or (user and user.is_admin()):
|
if self.courier_id == user_id or (user and user.is_admin()):
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
def can_modify_prices(self, user_id: int) -> bool:
|
||||||
|
if not self.is_closed():
|
||||||
|
return False
|
||||||
|
if user_id is None:
|
||||||
|
return False
|
||||||
|
if self.courier_id == user_id:
|
||||||
|
return True
|
||||||
|
user = User.query.filter_by(id=user_id).first()
|
||||||
|
return user and user.is_admin()
|
||||||
|
|
||||||
|
def can_modify_payment(self, user_id: int) -> bool:
|
||||||
|
user = User.query.filter_by(id=user_id).first()
|
||||||
|
return user and (user.is_admin() or user == self.order.courier)
|
||||||
|
|
|
@ -290,9 +290,9 @@
|
||||||
{{ order_items | map(attribute="price") | sum | euro }}
|
{{ order_items | map(attribute="price") | sum | euro }}
|
||||||
</span>
|
</span>
|
||||||
|
|
||||||
{% if paid %}<span class="glyphicon glyphicon-ok"></span>{% endif %}
|
{% if paid %}<span class="glyphicon glyphicon-ok" style="opacity: 0.5"></span>{% endif %}
|
||||||
</td>
|
</td>
|
||||||
<td>{{ user_name }}</td>
|
<td style="{{ 'opacity: 0.5' if paid }}">{{ user_name }}</td>
|
||||||
<td class="items">
|
<td class="items">
|
||||||
<ul>
|
<ul>
|
||||||
{% for item in order_items %}
|
{% for item in order_items %}
|
||||||
|
@ -325,11 +325,13 @@
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<div class="footer">
|
<div class="footer">
|
||||||
|
{% if order.can_modify_payment(current_user.id) %}
|
||||||
On selected:
|
On selected:
|
||||||
<button name="action" value="mark_paid" class="btn btn-sm"><span class="glyphicon glyphicon-ok"></span> Mark paid</button>
|
<button name="action" value="mark_paid" class="btn btn-sm"><span class="glyphicon glyphicon-ok"></span> Mark paid</button>
|
||||||
<button name="action" value="mark_unpaid" class="btn btn-sm">Mark unpaid</button>
|
<button name="action" value="mark_unpaid" class="btn btn-sm">Mark unpaid</button>
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if order.is_closed() %}
|
{% if order.can_modify_prices(current_user.id) %}
|
||||||
<span style="border-left: 1px solid var(--gray0); display: inline-block;"> </span>
|
<span style="border-left: 1px solid var(--gray0); display: inline-block;"> </span>
|
||||||
<a href="{{ url_for('order_bp.prices', order_id=order.id) }}" class="btn btn-sm">
|
<a href="{{ url_for('order_bp.prices', order_id=order.id) }}" class="btn btn-sm">
|
||||||
<span class="glyphicon glyphicon-pencil"></span> Edit prices
|
<span class="glyphicon glyphicon-pencil"></span> Edit prices
|
||||||
|
|
|
@ -330,14 +330,8 @@ def prices(order_id: int) -> typing.Optional[Response]:
|
||||||
order = Order.query.filter(Order.id == order_id).first()
|
order = Order.query.filter(Order.id == order_id).first()
|
||||||
if order is None:
|
if order is None:
|
||||||
abort(404)
|
abort(404)
|
||||||
if (
|
if not order.can_modify_prices(current_user.id):
|
||||||
current_user.is_anonymous() or
|
flash("You cannot modify the prices at this time.", "error")
|
||||||
not (current_user.is_admin() or current_user.id == order.courier_id)
|
|
||||||
):
|
|
||||||
flash("Only the courier can edit prices.", "error")
|
|
||||||
return redirect(url_for("order_bp.order_from_id", order_id=order_id))
|
|
||||||
if not order.is_closed():
|
|
||||||
flash("Cannot modify prices until the order is closed.", "error")
|
|
||||||
return redirect(url_for("order_bp.order_from_id", order_id=order_id))
|
return redirect(url_for("order_bp.order_from_id", order_id=order_id))
|
||||||
|
|
||||||
if request.method == "GET":
|
if request.method == "GET":
|
||||||
|
|
Loading…
Reference in a new issue