From 55c02bc973f389f6a90c0e9008a4d849376e9d2e Mon Sep 17 00:00:00 2001
From: konrad <konrad@kola-entertainments.de>
Date: Thu, 12 Jul 2018 23:33:21 +0200
Subject: [PATCH] Fixed CanDelete

---
 models/list_items_rights.go | 7 +++++--
 models/list_rights.go       | 5 +++--
 models/rights.go            | 2 +-
 routes/crud/delete.go       | 2 +-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/models/list_items_rights.go b/models/list_items_rights.go
index 48bcdd6c..9a2bd77e 100644
--- a/models/list_items_rights.go
+++ b/models/list_items_rights.go
@@ -1,9 +1,12 @@
 package models
 
 // CanDelete checks if the user can delete an item
-func (i *ListItem) CanDelete(doer *User) bool {
+func (i *ListItem) CanDelete(doer *User, id int64) bool {
+	// Get the item
+	lI, _ := GetListItemByID(id)
+
 	// A user can delete an item if he has write acces to its list
-	list, _ := GetListByID(i.ListID)
+	list, _ := GetListByID(lI.ListID)
 	return list.CanWrite(doer)
 }
 
diff --git a/models/list_rights.go b/models/list_rights.go
index 98452780..6e9a3abe 100644
--- a/models/list_rights.go
+++ b/models/list_rights.go
@@ -81,8 +81,9 @@ func (l *List) CanRead(user *User) bool {
 }
 
 // CanDelete checks if the user can delete a list
-func (l *List) CanDelete(doer *User) bool {
-	return l.IsAdmin(doer)
+func (l *List) CanDelete(doer *User, id int64) bool {
+	list, _ := GetListByID(id)
+	return list.IsAdmin(doer)
 }
 
 // CanUpdate checks if the user can update a list
diff --git a/models/rights.go b/models/rights.go
index e8d1d6ee..03a57f4a 100644
--- a/models/rights.go
+++ b/models/rights.go
@@ -5,7 +5,7 @@ type Rights interface {
 	IsAdmin(*User) bool
 	CanWrite(*User) bool
 	CanRead(*User) bool
-	CanDelete(*User) bool
+	CanDelete(*User, int64) bool
 	CanUpdate(*User, int64) bool
 	CanCreate(*User, int64) bool
 }
diff --git a/routes/crud/delete.go b/routes/crud/delete.go
index 1cd06823..6d8df178 100644
--- a/routes/crud/delete.go
+++ b/routes/crud/delete.go
@@ -19,7 +19,7 @@ func (c *WebHandler) DeleteWeb(ctx echo.Context) error {
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError)
 	}
-	if !c.CObject.CanDelete(&user) {
+	if !c.CObject.CanDelete(&user, id) {
 		return echo.NewHTTPError(http.StatusForbidden)
 	}