def dispatch_request(self, patient_id, **kwargs):
patient = Patient.query.get_or_404(patient_id)
if not patient.can_edit(current_user):
abort(403)
args = []
# TODO permissions
if self.disease_group:
disease_group_id = kwargs.pop('disease_group_id')
disease_group = DiseaseGroup.query.get_or_404(disease_group_id)
args.append(disease_group)
obj = self.detail_service.get_object(patient, *args, **kwargs)
if obj is None:
return self.not_found(*args)
form = DeleteForm()
if not obj.can_edit(current_user) or not form.validate_on_submit():
abort(403)
db.session.delete(obj)
db.session.commit()
flash('Deleted.', 'success')
return self.deleted(patient, *args)
def delete_post(post_id):
post = Post.query.get_or_404(post_id)
if not post.can_edit(current_user):
abort(403)
delete_form = DeleteForm()
if delete_form.validate_on_submit():
db.session.delete(post)
db.session.commit()
return redirect(url_for('news.view_posts'))
else:
abort(403)
def delete_patient(patient_id):
patient = Patient.query.get_or_404(patient_id)
# TODO probably shouldn't be able to delete a patient who belongs to non-editable units
if not patient.can_edit(current_user):
abort(403)
form = DeleteForm()
if form.validate_on_submit():
db.session.delete(patient)
db.session.commit()
flash('Patient deleted.', 'success')
return redirect(url_for('patients.view_patient_list'))
else:
context = dict(
patient=patient,
patient_data=get_patient_data(patient)
)
return render_template('patient/delete.html', **context)
