wait for refactor routes

app/controllers/require_permission.py

@@ -9,19 +9,29 @@ from app.logger import log
 def check_permissions(
     entity_type: m.Permission.Entity,
     access: list[m.Permission.Access],
-    model: m,
+    entities_data: list[dict] | dict,
-    entity_id_field: str,
 ):
     request_args = (
         {**request.view_args, **request.args} if request.view_args else {**request.args}
     )
+    if type(entities_data) == dict:
+        entities_data = [entities_data]
+    entity = None
+    for entity_data in entities_data:
+        model = entity_data.get("model")
+        entity_id_field = entity_data.get("entity_id_field")
+        if not model or entity_id_field is None:
+            raise ValueError(
+                "One of required arguments(model, entity_id_field) is missions"
+            )
+
+        entity_id = request_args.get(entity_id_field)
+        if entity_id is None:
+            raise ValueError("entity_id not found")
+        entity: m.Book | m.Collection | m.Section | m.Interpretation = db.session.get(
+            model, entity_id
+        )
 
-    entity_id = request_args.get(entity_id_field)
-    if entity_id is None:
-        raise ValueError("entity_id not found")
-    entity: m.Book | m.Collection | m.Section | m.Interpretation = db.session.get(
-        model, entity_id
-    )
     if not entity or not entity.access_groups:
         flash("You do not have permission", "warning")
         return make_response(redirect(url_for("home.get_all")))
@@ -62,8 +72,7 @@ def check_permissions(
 def require_permission(
     entity_type: m.Permission.Entity,
     access: list[m.Permission.Access],
-    model: m,
+    entities_data: list[dict] | dict,
-    entity_id_field: str,
 ):
     def decorator(f):
         @functools.wraps(f)
@@ -71,8 +80,7 @@ def require_permission(
             if response := check_permissions(
                 entity_type=entity_type,
                 access=access,
-                model=model,
+                entities_data=entities_data,
-                entity_id_field=entity_id_field,
             ):
                 return response
             return f(*args, **kwargs)

app/views/book/book.py

@@ -116,8 +116,10 @@ def create():
 @require_permission(
     entity_type=m.Permission.Entity.BOOK,
     access=[m.Permission.Access.U],
-    model=m.Book,
+    entity_data={
-    entity_id_field="book_id",
+        "model": m.Book,
+        "entity_id_field": "book_id",
+    },
 )
 @login_required
 def edit(book_id: int):
@@ -145,6 +147,16 @@ def edit(book_id: int):
 
 
 @bp.route("/<int:book_id>/delete", methods=["POST"])
+@require_permission(
+    entity_type=m.Permission.Entity.BOOK,
+    access=[m.Permission.Access.D],
+    entities_data=[
+        {
+            "model": m.Book,
+            "entity_id_field": "book_id",
+        }
+    ],
+)
 @login_required
 def delete(book_id: int):
     book: m.Book = db.session.get(m.Book, book_id)

app/views/book/collection.py

@@ -14,6 +14,7 @@ from app.controllers.delete_nested_book_entities import (
     delete_nested_collection_entities,
 )
 from app import models as m, db, forms as f
+from app.controllers.require_permission import require_permission
 from app.logger import log
 from .bp import bp
 
@@ -61,6 +62,12 @@ def sub_collection_view(book_id: int, collection_id: int):
 @bp.route("/<int:book_id>/create_collection", methods=["POST"])
 @bp.route("/<int:book_id>/<int:collection_id>/create_sub_collection", methods=["POST"])
 @register_book_verify_route(bp.name)
+@require_permission(
+    entity_type=m.Permission.Entity.COLLECTION,
+    access=[m.Permission.Access.C],
+    model=m.Collection,
+    entity_id_field="collection_id",
+)
 @login_required
 def collection_create(book_id: int, collection_id: int | None = None):
     book: m.Book = db.session.get(m.Book, book_id)