From b51fb2d6dec4abeda9aba628ec481f11f28189be Mon Sep 17 00:00:00 2001
From: Feliciaan De Palmenaer <feliciaan@de-palmenaer.eu>
Date: Fri, 30 Oct 2015 20:30:18 +0100
Subject: [PATCH] Haldis hot fix, anonymous users cannot delete stuff

---
 app/models.py      | 5 ++++-
 app/views/order.py | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/models.py b/app/models.py
index 9bcbafb..54d8d0b 100644
--- a/app/models.py
+++ b/app/models.py
@@ -156,6 +156,9 @@ class OrderItem(db.Model):
             return False
         if self.order.stoptime and self.order.stoptime < datetime.now():
             return False
-        if self.user_id == user_id or self.name == name:
+        if self.user is not None and self.user_id == user_id:
+            return True
+        user = User.query.filter(User.id == user_id).first()
+        if user and user.is_admin():
             return True
         return False
diff --git a/app/views/order.py b/app/views/order.py
index 56e8138..18a8f57 100644
--- a/app/views/order.py
+++ b/app/views/order.py
@@ -137,12 +137,13 @@ def delete_item(order_id, item_id):
     item = OrderItem.query.filter(OrderItem.id == item_id).first()
     id = None
     if not current_user.is_anonymous():
+        print("%s tries to delete orders" % (current_user.username))
         id = current_user.id
     if item.can_delete(order_id, id, session.get('anon_name', '')):
         product_name = item.product.name
         db.session.delete(item)
         db.session.commit()
-        flash('Deleted %s' % product_name, 'success')
+        flash('Deleted %s' % (product_name), 'success')
         return redirect(url_for('.order', id=order_id))
     abort(404)