From 333a7ec5ec8543dc7f14ff72a609b5eab2002ff9 Mon Sep 17 00:00:00 2001 From: Feliciaan De Palmenaer Date: Thu, 4 Jun 2015 19:13:09 +0200 Subject: [PATCH 1/2] spacing --- app/views/order.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/order.py b/app/views/order.py index de92b92..301cbb5 100644 --- a/app/views/order.py +++ b/app/views/order.py @@ -63,6 +63,7 @@ def order_edit(id): return redirect(url_for('.order', id=order.id)) return render_template('order_edit.html', form=orderForm, order_id=id) + @order_bp.route('//create', methods=['POST']) def order_item_create(id): current_order = Order.query.filter(Order.id == id).first() @@ -90,7 +91,6 @@ def order_item_create(id): return order(id, form=form) - @order_bp.route('///delete') def delete_item(order_id, item_id): item = OrderItem.query.filter(OrderItem.id == item_id).first() From 3d5f6ef1ae27a4662c07b2977065fbcd34189804 Mon Sep 17 00:00:00 2001 From: Feliciaan De Palmenaer Date: Thu, 4 Jun 2015 21:36:57 +0200 Subject: [PATCH 2/2] Check if user is allowed to edit --- app/views/order.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/views/order.py b/app/views/order.py index 301cbb5..e6f056b 100644 --- a/app/views/order.py +++ b/app/views/order.py @@ -53,6 +53,8 @@ def order(id, form=None): @login_required def order_edit(id): order = Order.query.filter(Order.id == id).first() + if current_user.id is not order.courrier_id and not current_user.is_admin(): + abort(401) if order is None: abort(404) orderForm = OrderForm(obj=order)