peterstockings/workout
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ensure only admins can delete users/exercises and users can only edit there own name

Browse Source
This commit is contained in:
Peter Stockings
2026-01-31 14:19:16 +11:00
parent 32719cc141
commit 62080b97a4
2 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app.py
View File

@@ -5,7 +5,7 @@ from flask_login import LoginManager, login_required, current_user
import jinja_partials
from jinja2_fragments import render_block
from decorators import (validate_person, validate_topset, validate_workout,
require_ownership, get_auth_message, get_person_id_from_context)
require_ownership, get_auth_message, get_person_id_from_context, admin_required)
from routes.auth import auth, get_person_by_id
from routes.changelog import changelog_bp
from routes.calendar import calendar_bp # Import the new calendar blueprint
@@ -165,8 +165,8 @@ def create_person():
@ app.route("/person/<int:person_id>/delete", methods=['DELETE'])
@login_required
@admin_required
@validate_person
@require_ownership
def delete_person(person_id):
db.delete_person(person_id)
return "", 200, {"HX-Trigger": "updatedPeople"}
@@ -198,6 +198,7 @@ def get_person_name(person_id):
@ app.route("/exercise", methods=['POST'])
@login_required
def create_exercise():
name = request.form.get("name")
attribute_ids = request.form.getlist('attribute_ids')
@@ -218,6 +219,7 @@ def get_exercise(exercise_id):
@ app.route("/exercise/<int:exercise_id>/edit_form", methods=['GET'])
@login_required
def get_exercise_edit_form(exercise_id):
exercise = db.get_exercise(exercise_id)
all_attributes = db.exercises.get_attributes_by_category()
@@ -243,6 +245,7 @@ def get_exercise_edit_form(exercise_id):
@ app.route("/exercise/<int:exercise_id>/update", methods=['PUT'])
@login_required
def update_exercise(exercise_id):
new_name = request.form.get('name')
attribute_ids = request.form.getlist('attribute_ids')
@@ -262,9 +265,6 @@ def delete_exercise(exercise_id):
@ app.route("/settings")
@ login_required
def settings():
# check if user is admin
if current_user.id != 1007:
return redirect(url_for('dashboard'))
people = db.get_people()
exercises = db.get_all_exercises()
all_attributes = db.exercises.get_attributes_by_category()
@@ -329,6 +329,7 @@ def get_exercises():
return render_template('partials/exercise/exercise_dropdown.html', exercises=exercises, person_id=person_id)
@app.route("/exercise/<int:exercise_id>/edit_name", methods=['GET', 'POST'])
@login_required
def edit_exercise_name(exercise_id):
exercise = db.exercises.get_exercise(exercise_id)
person_id = request.args.get('person_id', type=int)
@@ -340,6 +341,7 @@ def edit_exercise_name(exercise_id):
return render_template('partials/exercise/exercise_list_item.html', exercise=updated_exercise, person_id=person_id)
@app.route("/exercises/add", methods=['POST'])
@login_required
def add_exercise():
exercise_name = request.form['query']
new_exercise = db.exercises.add_exercise(exercise_name)
@@ -347,6 +349,8 @@ def add_exercise():
return render_template('partials/exercise/exercise_list_item.html', exercise=new_exercise, person_id=person_id)
@ app.route("/exercise/<int:exercise_id>/delete", methods=['DELETE'])
@login_required
@admin_required
def delete_exercise(exercise_id):
db.exercises.delete_exercise(exercise_id)
return ""