From a2ceaa0966cfc79620e2b541d6330b206b051985 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lera=20Elvo=C3=A9?= <yagich@poto.cafe>
Date: Mon, 20 Apr 2026 13:22:41 +0300
Subject: [PATCH] add some posts route annotations

---
 app/routes/posts.py | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/app/routes/posts.py b/app/routes/posts.py
index 87052af..dda0186 100644
--- a/app/routes/posts.py
+++ b/app/routes/posts.py
@@ -1,7 +1,44 @@
-from flask import Blueprint
+from flask import Blueprint, abort
+from functools import wraps
+from ..auth import login_required, get_active_user
+from ..models import Posts
 
 bp = Blueprint('posts', __name__, url_prefix='/posts/')
 
+def ownership_required(view_func):
+    @wraps(view_func)
+    def wrapper(*args, **kwargs):
+        post = Posts.find({'id': kwargs.get('post_id', None)})
+        if not post:
+            abort(404)
+
+        if post.user_id != get_active_user().id:
+            abort(403)
+
+        return view_func(*args, **kwargs)
+    return wrapper
+
+def ownership_or_mod_required(view_func):
+    @wraps(view_func)
+    def wrapper(*args, **kwargs):
+        post = Posts.find({'id': kwargs.get('post_id', None)})
+        if not post:
+            abort(404)
+
+        if post.user_id != get_active_user().id and not get_active_user().is_mod():
+            abort(403)
+
+        return view_func(*args, **kwargs)
+    return wrapper
+
 @bp.get('/<int:post_id>/edit/')
+@login_required
+@ownership_required
 def edit(post_id):
     return 'stub'
+
+@bp.get('/<int:post_id>/delete/')
+@login_required
+@ownership_or_mod_required
+def delete(post_id):
+    return 'stub'