From d12122127ebc6e2a1647cab302ad95570d1ca03e Mon Sep 17 00:00:00 2001
From: Andrea Callia D'Iddio <ac4014@ic.ac.uk>
Date: Tue, 14 Feb 2023 11:54:05 +0000
Subject: [PATCH] Fix: prevent staff members from deleting projects published
 by other staff members.

---
 app/templates/pages/staff/projects.html | 2 ++
 app/views/staff.py                      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/app/templates/pages/staff/projects.html b/app/templates/pages/staff/projects.html
index 6a95bcb..cbbd9ac 100644
--- a/app/templates/pages/staff/projects.html
+++ b/app/templates/pages/staff/projects.html
@@ -18,8 +18,10 @@
                                         <a href="{{ url_for("staff.view_project", project_id=project.id) }}"
                                            class="w3-button w3-hover-teal">View</a>
                                     {% endif %}
+                                    {% if allow_edit %}
                                     <a href="{{ url_for("staff.delete_project", project_id=project.id) }}"
                                        class="w3-button w3-hover-red">Delete</a>
+                                    {% endif %}
                                 </div>
                             </li>
                         {% endfor %}
diff --git a/app/views/staff.py b/app/views/staff.py
index fa4c80e..7184525 100644
--- a/app/views/staff.py
+++ b/app/views/staff.py
@@ -133,6 +133,8 @@ def delete_project(project_id):
         can_delete = False
     elif project.category not in category_codes:
         can_delete = False
+    elif project.proposer != current_user.username:
+        can_delete = False
     if can_delete:
         project.deleted = datetime.utcnow()
         db.session.commit()
-- 
GitLab