From 1180842c66c50a27f018c423fdb8caf9c7ea5c7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laura=20Kl=C3=BCnder?= <laura@codingcatgirl.de>
Date: Thu, 29 Jun 2017 17:48:02 +0200
Subject: [PATCH] can_delete

---
 src/c3nav/editor/models/changeset.py             | 3 +++
 src/c3nav/editor/templates/editor/changeset.html | 4 +++-
 src/c3nav/editor/views/changes.py                | 5 +++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/c3nav/editor/models/changeset.py b/src/c3nav/editor/models/changeset.py
index d572586c..0d23a386 100644
--- a/src/c3nav/editor/models/changeset.py
+++ b/src/c3nav/editor/models/changeset.py
@@ -267,6 +267,9 @@ class ChangeSet(models.Model):
         return (self.editable and self.session_id == request.session.session_key and
                 (self.proposed is None or self.assigned_to_id is request.user.pk))
 
+    def can_delete(self, request):
+        return self.can_edit(request) and self.proposed is None
+
     def can_propose(self, request):
         return self.author_id == request.user.pk and self.proposed is None
 
diff --git a/src/c3nav/editor/templates/editor/changeset.html b/src/c3nav/editor/templates/editor/changeset.html
index e1122e13..734ad5c2 100644
--- a/src/c3nav/editor/templates/editor/changeset.html
+++ b/src/c3nav/editor/templates/editor/changeset.html
@@ -57,7 +57,9 @@
 {% endfor %}
 
 {% buttons %}
-    <button type="submit" class="btn btn-danger" name="delete" value="1">{% trans 'Delete' %}</button>
+    {% if can_delete %}
+        <button type="submit" class="btn btn-danger" name="delete" value="1">{% trans 'Delete' %}</button>
+    {% endif %}
     <div class="pull-right">
         {% if can_edit %}
             <a href="{% url 'editor.changesets.edit' pk=changeset.pk %}" class="btn btn-default">{% trans 'Edit' %}</a>
diff --git a/src/c3nav/editor/views/changes.py b/src/c3nav/editor/views/changes.py
index 93c608a2..9296cd84 100644
--- a/src/c3nav/editor/views/changes.py
+++ b/src/c3nav/editor/views/changes.py
@@ -26,6 +26,7 @@ def changeset_detail(request, pk):
         raise Http404
 
     can_edit = changeset.can_edit(request)
+    can_delete = changeset.can_delete(request)
 
     if request.method == 'POST' and can_edit:
         restore = request.POST.get('restore')
@@ -43,6 +44,9 @@ def changeset_detail(request, pk):
             return redirect(reverse('editor.changesets.detail', kwargs={'pk': changeset.pk}))
 
         elif request.POST.get('delete') == '1':
+            if not changeset.can_delete(request):
+                raise PermissionDenied
+
             if request.POST.get('delete_confirm') == '1':
                 changeset.delete()
                 return redirect(reverse('editor.index'))
@@ -223,6 +227,7 @@ def changeset_detail(request, pk):
         'changeset': changeset,
         'created': created,
         'can_edit': can_edit,
+        'can_delete': can_delete,
         'changed_objects': changed_objects_data,
     }