Convert task_delete and task_done views from GET to POST

2019-02-10 11:06:36 -08:00 · 2019-02-10 11:06:36 -08:00 · 01cab7a82f
commit 01cab7a82f
parent 891148e496
8 changed files with 109 additions and 52 deletions
--- a/todo/views/delete_task.py
+++ b/todo/views/delete_task.py
@ -16,20 +16,27 @@ def delete_task(request, task_id: int) -> HttpResponse:
    Redirect to the list from which the task came.
    """

-    task = get_object_or_404(Task, pk=task_id)
+    if request.method == "POST":
+        task = get_object_or_404(Task, pk=task_id)

-    # Permissions
-    if not (
-        (task.created_by == request.user)
-        or (task.assigned_to == request.user)
-        or (task.task_list.group in request.user.groups.all())
-    ):
+        redir_url = reverse(
+            "todo:list_detail",
+            kwargs={"list_id": task.task_list.id, "list_slug": task.task_list.slug},
+        )
+
+        # Permissions
+        if not (
+            (task.created_by == request.user)
+            or (request.user.is_superuser)
+            or (task.assigned_to == request.user)
+            or (task.task_list.group in request.user.groups.all())
+        ):
+            raise PermissionDenied
+
+        task.delete()
+
+        messages.success(request, "Task '{}' has been deleted".format(task.title))
+        return redirect(redir_url)
+
+    else:
        raise PermissionDenied
-
-    tlist = task.task_list
-    task.delete()
-
-    messages.success(request, "Task '{}' has been deleted".format(task.title))
-    return redirect(
-        reverse("todo:list_detail", kwargs={"list_id": tlist.id, "list_slug": tlist.slug})
-    )