PCv5/app/routes/posts/edit.py

from app import app, db
from app.models.post import Post
from app.models.attachment import Attachment
from app.utils.render import render
from app.utils.check_csrf import check_csrf
from app.forms.forum import CommentEditForm, AnonymousCommentEditForm
from wtforms import BooleanField
from urllib.parse import urlparse
from flask import redirect, url_for, abort, request
from flask_login import login_required, current_user

@app.route('/post/<int:postid>', methods=['GET','POST'])
@login_required
def edit_post(postid):
    # TODO: Maybe not safe
    referrer = urlparse(request.args.get('r', default = '/', type = str)).path
    print(referrer)

    p = Post.query.filter_by(id=postid).first_or_404()

    # Check permissions. TODO: Allow guests to edit their posts
    if current_user.is_anonymous or not current_user.can_edit_post(p):
        abort(403)

    if p.type == "comment":
        class CommentForm(CommentEditForm):
            pass
        for a in p.attachments:
            setattr(CommentForm, f'a{a.id}', BooleanField(f'a{a.id}'))
        setattr(CommentForm, 'attachment_list',
            { f'a{a.id}': a for a in p.attachments })

        form = CommentForm()
        if form.validate_on_submit():
            p.text = form.message.data

            # Remove attachments
            for id, a in form.attachment_list.items():
                if form[id].data:
                    a.delete()

            # Add new attachments
            attachments = []
            for file in form.attachments.data:
                if file.filename != "":
                    a = Attachment(file, p)
                    attachments.append((a, file))
                    db.session.add(a)

            db.session.add(p)
            db.session.commit()

            for a, file in attachments:
                a.set_file(file)

            return redirect(referrer)

        form.message.data = p.text
        return render('forum/edit_comment.html', comment=p, form=form)
    else:
        abort(404)

@app.route('/post/supprimer/<int:postid>', methods=['GET','POST'])
@login_required
@check_csrf
def delete_post(postid):
    p = Post.query.filter_by(id=postid).first_or_404()

    if current_user.is_anonymous or not current_user.can_delete_post(p):
        abort(403)

    p.delete()
    db.session.commit()
    return redirect(request.referrer)