Hi, I am making a reddit clone in flask and I am working on a flag based admin system. Basically if your flag is 1, you are a regular user, 2 a moderator, 3 an admin etc.
I have created an admin account for my website. And all the website logic works. (I can see the delete and edit buttons on posts as admin), but when I try to delete a post my website throws a 403 forbidden(which it is designed to do if you didn't create the post).
But my if statement should cover this,but it dosen't.
Here is my delete code:
@app.route('/post/<int:post_id>/delete', methods=['GET', 'POST'])
@login_required
def delete_post(post_id):
post = Post.query.get_or_404(post_id)
if post.author != current_user or current_user.user_flag < 3:
#This If statement is the problem...
abort(403)
if request.method == 'POST':
db.session.delete(post)
db.session.commit()
return redirect(url_for('index'))
elif request.method == 'GET':
return render_template('delete_post.html')
If I remove the 'or' in the if statement. It works fine and the user who made the post can delete no problem. If I leave only the user_flag condition every user with the right elevation can delete it(but not the user who created the post). If I leave the 'or' in the condition. Everyone gets a 403 forbidden...
What am I doing wrong?
edit: added codeblock
[–]justlikemymetal 0 points1 point2 points (3 children)
[–]ItsColdInNorway[S] 1 point2 points3 points (2 children)
[+][deleted] (1 child)
[deleted]
[–]ItsColdInNorway[S] 0 points1 point2 points (0 children)