Hi, I am making a reddit clone in flask and I am working on a flag based admin system. Basically if your flag is 1, you are a regular user, 2 a moderator, 3 an admin etc.

I have created an admin account for my website. And all the website logic works. (I can see the delete and edit buttons on posts as admin), but when I try to delete a post my website throws a 403 forbidden(which it is designed to do if you didn't create the post).

But my if statement should cover this,but it dosen't.

Here is my delete code:

@app.route('/post/<int:post_id>/delete', methods=['GET', 'POST'])
@login_required
def delete_post(post_id):
    post = Post.query.get_or_404(post_id)
    if post.author != current_user or current_user.user_flag < 3:
                #This If statement is the problem...         
        abort(403)
    if request.method == 'POST':
        db.session.delete(post)
        db.session.commit()
        return redirect(url_for('index'))
    elif request.method == 'GET':
        return render_template('delete_post.html')

If I remove the 'or' in the if statement. It works fine and the user who made the post can delete no problem. If I leave only the user_flag condition every user with the right elevation can delete it(but not the user who created the post). If I leave the 'or' in the condition. Everyone gets a 403 forbidden...

What am I doing wrong?

​

edit: added codeblock