From 0c3d2328a81b2e8c0bb04bf60039e56719ae8ceb Mon Sep 17 00:00:00 2001
From: Raphael Odini <raphodn@users.noreply.github.com>
Date: Mon, 18 Mar 2024 18:16:01 +0100
Subject: [PATCH] feat(prices): allow moderators to delete prices (#260)

---
 app/routers/prices.py         |  5 +++--
 tests/integration/test_api.py | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/app/routers/prices.py b/app/routers/prices.py
index 0e936867..f5634b1a 100644
--- a/app/routers/prices.py
+++ b/app/routers/prices.py
@@ -172,8 +172,9 @@ def delete_price(
             status_code=404,
             detail=f"Price with code {price_id} not found",
         )
-    # Check if the price belongs to the current user
-    if db_price.owner != current_user.user_id:
+    # Check if the price belongs to the current user,
+    # if it doesn't, the user needs to be a moderator
+    if db_price.owner != current_user.user_id and not current_user.is_moderator:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Price does not belong to current user",
diff --git a/tests/integration/test_api.py b/tests/integration/test_api.py
index f50d603e..2fba0ec0 100644
--- a/tests/integration/test_api.py
+++ b/tests/integration/test_api.py
@@ -742,11 +742,13 @@ def test_update_price_moderator(
 def test_delete_price(
     db_session, user_session: SessionModel, user_session_1: SessionModel, clean_prices
 ):
+    # create price
     db_price = crud.create_price(db_session, PRICE_1, user_session.user)
     # without authentication
     response = client.delete(f"/api/v1/prices/{db_price.id}")
     assert response.status_code == 401
     # with authentication but not price owner
+    crud.update_user_moderator(db_session, USER_1.user_id, False)
     response = client.delete(
         f"/api/v1/prices/{db_price.id}",
         headers={"Authorization": f"Bearer {user_session_1.token}"},
@@ -766,6 +768,20 @@ def test_delete_price(
     assert response.status_code == 204
 
 
+def test_delete_price_moderator(
+    db_session, user_session: SessionModel, user_session_1: SessionModel, clean_prices
+):
+    # create price
+    db_price = crud.create_price(db_session, PRICE_1, user_session.user)
+    # user_1 is moderator, not owner
+    crud.update_user_moderator(db_session, USER_1.user_id, True)
+    response = client.delete(
+        f"/api/v1/prices/{db_price.id}",
+        headers={"Authorization": f"Bearer {user_session_1.token}"},
+    )
+    assert response.status_code == 204
+
+
 # Test proofs
 # ------------------------------------------------------------------------------
 def test_create_proof(user_session: SessionModel, clean_proofs):