diff --git a/cps/web.py b/cps/web.py index 5fba962a..67b0c9d4 100755 --- a/cps/web.py +++ b/cps/web.py @@ -2194,29 +2194,37 @@ def remove_from_shelf(shelf_id, book_id): # if shelf is public and use is allowed to edit shelfs, or if shelf is private and user is owner # allow editing shelfs - if (not shelf.is_public and not shelf.user_id == int(current_user.id)) \ - or not (shelf.is_public and current_user.role_edit_shelfs()): - if not request.is_xhr: - app.logger.info("Sorry you are not allowed to remove a book from this shelf: %s" % shelf.name) - return redirect(url_for('index')) - return "Sorry you are not allowed to add a book to the the shelf: %s" % shelf.name, 403 + # result shelf public user allowed user owner + # false 1 0 x + # true 1 1 x + # true 0 x 1 + # false 0 x 0 + + if (not shelf.is_public and shelf.user_id == int(current_user.id)) \ + or (shelf.is_public and current_user.role_edit_shelfs()): + book_shelf = ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id, + ub.BookShelf.book_id == book_id).first() + + if book_shelf is None: + app.logger.info("Book already removed from shelf") + if not request.is_xhr: + return redirect(url_for('index')) + return "Book already removed from shelf", 410 - book_shelf = ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id, - ub.BookShelf.book_id == book_id).first() + ub.session.delete(book_shelf) + ub.session.commit() - if book_shelf is None: - app.logger.info("Book already removed from shelf") if not request.is_xhr: + flash(_(u"Book has been removed from shelf: %(sname)s", sname=shelf.name), category="success") + return redirect(request.environ["HTTP_REFERER"]) + return "", 204 + else: + app.logger.info("Sorry you are not allowed to remove a book from this shelf: %s" % shelf.name) + if not request.is_xhr: + flash(_(u"Sorry you are not allowed to remove a book from this shelf: %(sname)s", sname=shelf.name), category="error") return redirect(url_for('index')) - return "Book already removed from shelf", 410 - - ub.session.delete(book_shelf) - ub.session.commit() + return "Sorry you are not allowed to remove a book from this shelf: %s" % shelf.name, 403 - if not request.is_xhr: - flash(_(u"Book has been removed from shelf: %(sname)s", sname=shelf.name), category="success") - return redirect(request.environ["HTTP_REFERER"]) - return "", 204 @app.route("/shelf/create", methods=["GET", "POST"])