Hide buttons for which user has no permission
This commit is contained in:
parent
c35d107502
commit
85d8892176
3 changed files with 21 additions and 11 deletions
|
@ -114,3 +114,17 @@ class Order(db.Model):
|
|||
if self.courier_id == user_id or (user and user.is_admin()):
|
||||
return True
|
||||
return False
|
||||
|
||||
def can_modify_prices(self, user_id: int) -> bool:
|
||||
if not self.is_closed():
|
||||
return False
|
||||
if user_id is None:
|
||||
return False
|
||||
if self.courier_id == user_id:
|
||||
return True
|
||||
user = User.query.filter_by(id=user_id).first()
|
||||
return user and user.is_admin()
|
||||
|
||||
def can_modify_payment(self, user_id: int) -> bool:
|
||||
user = User.query.filter_by(id=user_id).first()
|
||||
return user and (user.is_admin() or user == self.order.courier)
|
||||
|
|
|
@ -290,9 +290,9 @@
|
|||
{{ order_items | map(attribute="price") | sum | euro }}
|
||||
</span>
|
||||
|
||||
{% if paid %}<span class="glyphicon glyphicon-ok"></span>{% endif %}
|
||||
{% if paid %}<span class="glyphicon glyphicon-ok" style="opacity: 0.5"></span>{% endif %}
|
||||
</td>
|
||||
<td>{{ user_name }}</td>
|
||||
<td style="{{ 'opacity: 0.5' if paid }}">{{ user_name }}</td>
|
||||
<td class="items">
|
||||
<ul>
|
||||
{% for item in order_items %}
|
||||
|
@ -325,11 +325,13 @@
|
|||
</table>
|
||||
|
||||
<div class="footer">
|
||||
{% if order.can_modify_payment(current_user.id) %}
|
||||
On selected:
|
||||
<button name="action" value="mark_paid" class="btn btn-sm"><span class="glyphicon glyphicon-ok"></span> Mark paid</button>
|
||||
<button name="action" value="mark_unpaid" class="btn btn-sm">Mark unpaid</button>
|
||||
{% endif %}
|
||||
|
||||
{% if order.is_closed() %}
|
||||
{% if order.can_modify_prices(current_user.id) %}
|
||||
<span style="border-left: 1px solid var(--gray0); display: inline-block;"> </span>
|
||||
<a href="{{ url_for('order_bp.prices', order_id=order.id) }}" class="btn btn-sm">
|
||||
<span class="glyphicon glyphicon-pencil"></span> Edit prices
|
||||
|
|
|
@ -330,14 +330,8 @@ def prices(order_id: int) -> typing.Optional[Response]:
|
|||
order = Order.query.filter(Order.id == order_id).first()
|
||||
if order is None:
|
||||
abort(404)
|
||||
if (
|
||||
current_user.is_anonymous() or
|
||||
not (current_user.is_admin() or current_user.id == order.courier_id)
|
||||
):
|
||||
flash("Only the courier can edit prices.", "error")
|
||||
return redirect(url_for("order_bp.order_from_id", order_id=order_id))
|
||||
if not order.is_closed():
|
||||
flash("Cannot modify prices until the order is closed.", "error")
|
||||
if not order.can_modify_prices(current_user.id):
|
||||
flash("You cannot modify the prices at this time.", "error")
|
||||
return redirect(url_for("order_bp.order_from_id", order_id=order_id))
|
||||
|
||||
if request.method == "GET":
|
||||
|
|
Loading…
Reference in a new issue