fix approve comment

app/controllers/require_permission.py

@@ -3,6 +3,7 @@ from flask import flash, redirect, url_for, request, make_response
 import functools
 
 from app import models as m, db
+from app.logger import log
 
 
 def check_permissions(
@@ -21,27 +22,47 @@ def check_permissions(
     for model in entities:
         entity_id_field = (model.__name__ + "_id").lower()
         entity_id = request_args.get(entity_id_field)
-        entity: m.Book | m.Collection | m.Section | m.Interpretation = db.session.get(
-            model, entity_id
+        entity: m.Book | m.Collection | m.Section | m.Interpretation | m.Comment = (
+            db.session.get(model, entity_id)
         )
 
     if entity is None:
+        log(log.INFO, "No entity [%s] found", entities)
         flash("You do not have permission", "danger")
         return make_response(redirect(url_for("home.get_all")))
 
     book_id = request_args.get("book_id")
-    book: m.Book = db.session.get(m.Book, book_id)
-    if book and book.user_id == current_user.id:
-        # user has access because he is book owner
-        return None
+    if book_id:
+        book: m.Book = db.session.get(m.Book, book_id)
+        if book and book.user_id == current_user.id:
+            # user has access because he is book owner
+            log(log.INFO, "User [%s] is book owner [%s]", current_user, book)
+            return None
+
+    if type(entity) == m.Comment:
+        log(log.INFO, "Entity is Comment. Replace it by entity.interpretation")
+        entity = entity.interpretation
 
     if not entity or not entity.access_groups:
+        log(
+            log.INFO,
+            "User [%s] dont have permission to [%s] [%s]",
+            access.name,
+            current_user,
+            entity,
+        )
         flash("You do not have permission", "warning")
         return make_response(redirect(url_for("home.get_all")))
 
     # check if user is not owner of book
-    if not book and entity.access_groups[0].book.user_id == current_user.id:
+    if not book_id and entity.access_groups[0].book.user_id == current_user.id:
         # user has access because he is book owner
+        log(
+            log.INFO,
+            "User [%s] is book owner [%s]",
+            current_user,
+            entity.access_groups[0].book,
+        )
         return None
 
     access_group_query = (
@@ -67,8 +88,22 @@ def check_permissions(
     access_groups = access_group_query.all()
 
     if access_groups:
+        log(
+            log.INFO,
+            "User [%s] has permission to [%s] [%s]",
+            access.name,
+            current_user,
+            entity,
+        )
         return
 
+    log(
+        log.INFO,
+        "User [%s] dont have permission to [%s] [%s]",
+        access.name,
+        current_user,
+        entity,
+    )
     flash("You do not have permission", "danger")
     return make_response(redirect(url_for("home.get_all")))
 

app/views/approve.py

@@ -61,19 +61,19 @@ def approve_interpretation(interpretation_id: int):
 
 
 @bp.route(
-    "/comment/<int:interpretation_id>",
+    "/comment/<int:comment_id>",
     methods=["POST"],
 )
 @require_permission(
     entity_type=m.Permission.Entity.COMMENT,
     access=[m.Permission.Access.A],
-    entities=[m.Interpretation],
+    entities=[m.Comment],
 )
 @login_required
-def approve_comment(interpretation_id: int):
-    comment: m.Comment = db.session.get(m.Comment, interpretation_id)
+def approve_comment(comment_id: int):
+    comment: m.Comment = db.session.get(m.Comment, comment_id)
     if not comment:
-        log(log.WARNING, "Comment with id [%s] not found", interpretation_id)
+        log(log.WARNING, "Comment with id [%s] not found", comment_id)
         return jsonify({"message": "Comment not found"}), 404
 
     comment.approved = not comment.approved