Merge branch 'prevent-unauthorized-deletion' into 'master'

Fix: prevent staff members from deleting projects published by other staff members. See merge request edtech/project-allocator!17

Merge branch 'prevent-unauthorized-deletion' into 'master'
a86a1116 · Andrea Callia D'Iddio · 8d6b3170 · d1212212 · a86a1116 · a86a1116
Commit a86a1116 authored 2 years ago by Andrea Callia D'Iddio
--- a/app/templates/pages/staff/projects.html
+++ b/app/templates/pages/staff/projects.html
@@ -18,8 +18,10 @@
                                        <a href="{{ url_for("staff.view_project", project_id=project.id) }}"
                                           class="w3-button w3-hover-teal">View</a>
                                    {% endif %}
+                                    {% if allow_edit %}
                                    <a href="{{ url_for("staff.delete_project", project_id=project.id) }}"
                                       class="w3-button w3-hover-red">Delete</a>
+                                    {% endif %}
                                </div>
                            </li>
                        {% endfor %}

--- a/app/views/staff.py
+++ b/app/views/staff.py
@@ -133,6 +133,8 @@ def delete_project(project_id):
        can_delete = False
    elif project.category not in category_codes:
        can_delete = False
+    elif project.proposer != current_user.username:
+        can_delete = False
    if can_delete:
        project.deleted = datetime.utcnow()
        db.session.commit()