posts: add deletion

2020-09-26 14:55:55 +02:00 · 2020-09-26 14:55:55 +02:00 · 3b188e3bab
parent 0d8dd70956
commit 3b188e3bab
2 changed files with 20 additions and 1 deletions
--- a/app/routes/posts/edit.py
+++ b/app/routes/posts/edit.py
@ -1,6 +1,7 @@
 from app import app, db
 from app.models.post import Post
 from app.utils.render import render
+from app.utils.check_csrf import check_csrf
 from app.forms.forum import CommentEditForm, AnonymousCommentEditForm
 from urllib.parse import urlparse
 from flask import redirect, url_for, abort, request
@ -36,3 +37,21 @@ def edit_post(postid):
        return render('forum/edit_comment.html', comment=p, form=form)
    else:
        abort(404)
+
+@app.route('/post/supprimer/<int:postid>', methods=['GET','POST'])
+@login_required
+@check_csrf
+def delete_post(postid):
+    p = Post.query.filter_by(id=postid).first_or_404()
+
+    # TODO: Check whether privileged user has access to board
+    if p.author != current_user and not current_user.priv("delete-posts"):
+        abort(403)
+
+    for a in p.attachments:
+        db.session.delete(a)
+    db.session.commit()
+
+    db.session.delete(p)
+    db.session.commit()
+    return redirect(request.referrer)
--- a/app/templates/widgets/thread.html
+++ b/app/templates/widgets/thread.html
@ -15,7 +15,7 @@
            {% endif %}
            | <a href="{{ request.path }}#{{ c.id }}">#</a>
            | <a href="{{ url_for('edit_post', postid=c.id, r=request.path) }}">Modifier</a>
-            | <a href="#">Supprimer</a>
+            | <a href="{{ url_for('delete_post', postid=c.id, csrf_token=csrf_token()) }}" onclick="return confirm('Le message sera supprimé')">Supprimer</a>
            </div>

            {{ c.text|md }}