diff --git a/app/admin/routes.py b/app/admin/routes.py
index bfb17ee235b6f0b712fb4990035c01869219add6..a82d89861a678e13ca769a3b2ea30916cd616b61 100644
--- a/app/admin/routes.py
+++ b/app/admin/routes.py
@@ -1,5 +1,7 @@
-from flask import render_template, redirect, url_for
+from flask import render_template, redirect, url_for, request, jsonify
+from app import db
from app import admin_permission, permission_required, super_admin_permission
+from app.models import Listings
from app.admin import bp
@@ -28,9 +30,8 @@ def manage_users():
def manage_user_bookings():
return render_template('admin/index.html')
-
@bp.route('get_bookings', methods=['GET'])
-@permission_required(super_admin_permission)
+@permission_required(admin_permission)
def get_bookings():
query = db.session.query(Listings)
@@ -73,3 +74,15 @@ def get_bookings():
]
return jsonify(result)
+
+@bp.route('delete_booking', methods=['DELETE'])
+@permission_required(admin_permission)
+def delete_booking():
+ http_code = 400
+ booking_id = request.form.get('id')
+ success = Listings.delete_listing(booking_id)
+
+ if success:
+ http_code = 200
+
+ return jsonify(success), http_code
\ No newline at end of file
diff --git a/app/api/routes.py b/app/api/routes.py
index 8a37a8309ac6471eb20fe2aba6fafee48de566e2..18ed516aeced8b596b8ec044ae597b76a3aa2d99 100644
--- a/app/api/routes.py
+++ b/app/api/routes.py
@@ -1,9 +1,6 @@
-from flask import jsonify, request
+from flask import jsonify
from app.api import bp
from app.models import User, Listings
-from app import db
-from app import admin_permission, permission_required, super_admin_permission
-import json
@bp.route('/user_id/<int:id>', methods=['GET'])
def get_user_by_id(id):
diff --git a/app/models/listings.py b/app/models/listings.py
index 7295ec438b51d223fa06937ab7cf5fd59201dc75..08970b165009545983a0b2c07c64b4e3a9877336 100644
--- a/app/models/listings.py
+++ b/app/models/listings.py
@@ -34,3 +34,22 @@ class Listings(db.Model):
@classmethod
def get_top_listings(cls, amount_of_listings=5):
return cls.query.limit(amount_of_listings).all()
+
+ @classmethod
+ def delete_listing(cls, booking_id = None):
+
+ listing = cls.search_listing(booking_id)
+
+ if listing:
+ db.session.delete(listing)
+ db.session.commit()
+ return True
+
+ return False
+
+ @classmethod
+ def search_listing(cls, listing_id = None):
+ if listing_id == None:
+ return False
+
+ return cls.query.get(listing_id)
diff --git a/app/templates/admin/manage_bookings.html b/app/templates/admin/manage_bookings.html
index c25e690beea810cd400e02192f77cb38563b5c91..e3873d661af38a28a7a26c224aea25f5df10831c 100644
--- a/app/templates/admin/manage_bookings.html
+++ b/app/templates/admin/manage_bookings.html
@@ -230,7 +230,7 @@
const confirmation_input = $('#conifrmation_input').val().trim();
if (confirmation_input === 'CONFIRM') {
$.ajax({
- url: "{{ url_for('admin.get_bookings') }}", // TO CHANGE
+ url: "{{ url_for('admin.delete_booking') }}",
method: "DELETE",
data: { id: delete_booking.data().id },
success: function() {
diff --git a/app/templates/base.html b/app/templates/base.html
index c628d89b82d6c2590bb528b5938c6db40118ee4d..76cdacc451b939cacdabb5325521caf8ad70f391 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -94,4 +94,14 @@
{% endblock %}
</div>
</body>
+<script>
+ //Ensure CSRF token added to any internal requests including forms
+ $.ajaxSetup({
+ beforeSend: function(xhr, settings) {
+ if (!/^http(s)?:/.test(settings.url)) {
+ xhr.setRequestHeader("X-CSRFToken", "{{ csrf_token() }}");
+ }
+ }
+});
+</script>
</html>