Haldis hot fix, anonymous users cannot delete stuff

2015-10-30 20:30:18 +01:00 · 2015-10-30 20:30:18 +01:00 · b51fb2d6de
commit b51fb2d6de
parent 48e314335f
2 changed files with 6 additions and 2 deletions
--- a/app/models.py
+++ b/app/models.py
@ -156,6 +156,9 @@ class OrderItem(db.Model):
            return False
        if self.order.stoptime and self.order.stoptime < datetime.now():
            return False
-        if self.user_id == user_id or self.name == name:
+        if self.user is not None and self.user_id == user_id:
+            return True
+        user = User.query.filter(User.id == user_id).first()
+        if user and user.is_admin():
            return True
        return False
--- a/app/views/order.py
+++ b/app/views/order.py
@ -137,12 +137,13 @@ def delete_item(order_id, item_id):
    item = OrderItem.query.filter(OrderItem.id == item_id).first()
    id = None
    if not current_user.is_anonymous():
+        print("%s tries to delete orders" % (current_user.username))
        id = current_user.id
    if item.can_delete(order_id, id, session.get('anon_name', '')):
        product_name = item.product.name
        db.session.delete(item)
        db.session.commit()
-        flash('Deleted %s' % product_name, 'success')
+        flash('Deleted %s' % (product_name), 'success')
        return redirect(url_for('.order', id=order_id))
    abort(404)