Fix missing user_id check in delete_thread

db/sqlite.py

@@ -131,16 +131,18 @@ class DB:
             (rowid,)
         ).fetchone()
 
-    def delete_thread(self, thread_id):
+    def delete_thread(self, user_id, thread_id):
         db = self._db()
-        db.execute('''
+        c = db.cursor()
+        c.execute('''
             delete
             from threads
-            where thread_id = ?
+            where thread_id = ? and author_id = ?
             ''',
-            (thread_id,)
+            (thread_id, user_id)
         )
         db.commit()
+        return c.rowcount > 0
 
     def add_comment_to_thread(self, thread_id, author_id, text, time):
         db = self._db()
@@ -153,9 +155,8 @@ class DB:
             ''',
             (thread_id, author_id, text, time, time, thread_id)
         )
-        rowid = c.lastrowid
         db.commit()
-        return rowid is not None
+        return c.rowcount > 0
 
     def add_comment_to_comment(self, parent_id, author_id, text, time):
         db = self._db()
@@ -170,9 +171,7 @@ class DB:
             (parent_id, author_id, text, time, time, parent_id)
         )
         print(c.lastrowid)
-        rowid = c.lastrowid
-        db.commit()
-        return rowid is not None
+        return c.rowcount > 0
 
     def _db(self):
         return sqlite3.connect(self.conn)

main.py

@@ -137,8 +137,15 @@ def confirm_delete_thread(thread_id):
 
 @app.route('/thread/<int:thread_id>/delete/', methods = ['POST'])
 def delete_thread(thread_id):
-    db.delete_thread(thread_id)
-    flash('Thread has been deleted', 'success')
+    user_id = session.get('user_id')
+    if user_id is None:
+        return redirect(url_for('login'))
+
+    if db.delete_thread(user_id, thread_id):
+        flash('Thread has been deleted', 'success')
+    else:
+        flash('Thread could not be removed', 'error')
+        # TODO return 403, maybe?
     return redirect(url_for('index'))
 
 @app.route('/thread/<int:thread_id>/comment/', methods = ['POST'])

static/theme.css

@@ -85,6 +85,12 @@ table.form > * > tr > td, th {
 }
 
 .flash.success {
+	background-color: lightgreen;
+	border-radius: 5px;
+	padding: 8px;
+}
+
+.flash.error {
 	background-color: #ff4646;
 	border-radius: 5px;
 	padding: 8px;