From 5ba404ac584df22a3d0030f1305d37b6500f1781 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 20 Apr 2026 10:52:08 +0200 Subject: [PATCH] refactor(handler): extract DoDelete from DeleteWeb --- pkg/web/handler/core.go | 39 +++++++++++++++++++++++++++++++++++++++ pkg/web/handler/delete.go | 37 +------------------------------------ 2 files changed, 40 insertions(+), 36 deletions(-) diff --git a/pkg/web/handler/core.go b/pkg/web/handler/core.go index abb7954a1..1499ea673 100644 --- a/pkg/web/handler/core.go +++ b/pkg/web/handler/core.go @@ -173,3 +173,42 @@ func DoUpdate(_ context.Context, obj CObject, a web.Auth) error { events.DispatchPending(s) return nil } + +// DoDelete runs the permission check + model Delete + commit pipeline for a +// CObject. Framework-agnostic. Caller is responsible for path binding before +// calling. +func DoDelete(_ context.Context, obj CObject, a web.Auth) error { + s := db.NewSession() + defer func() { + if err := s.Close(); err != nil { + log.Errorf("Could not close session: %s", err) + } + }() + + canDelete, err := obj.CanDelete(s, a) + if err != nil { + _ = s.Rollback() + events.CleanupPending(s) + return err + } + if !canDelete { + _ = s.Rollback() + events.CleanupPending(s) + log.Warningf("Tried to delete while not having the permissions for it (User: %v)", a) + return echo.NewHTTPError(http.StatusForbidden, "Forbidden") + } + + if err := obj.Delete(s, a); err != nil { + _ = s.Rollback() + events.CleanupPending(s) + return err + } + + if err := s.Commit(); err != nil { + events.CleanupPending(s) + return err + } + + events.DispatchPending(s) + return nil +} diff --git a/pkg/web/handler/delete.go b/pkg/web/handler/delete.go index 249a5390e..7a4dc466e 100644 --- a/pkg/web/handler/delete.go +++ b/pkg/web/handler/delete.go @@ -21,8 +21,6 @@ import ( "fmt" "net/http" - "code.vikunja.io/api/pkg/db" - "code.vikunja.io/api/pkg/events" "code.vikunja.io/api/pkg/log" "code.vikunja.io/api/pkg/models" "code.vikunja.io/api/pkg/modules/auth" @@ -56,42 +54,9 @@ func (c *WebHandler) DeleteWeb(ctx *echo.Context) error { return echo.NewHTTPError(http.StatusInternalServerError, "Could not determine the current user.").Wrap(err) } - // Create the db session - s := db.NewSession() - defer func() { - err = s.Close() - if err != nil { - log.Errorf("Could not close session: %s", err) - } - }() - - canDelete, err := currentStruct.CanDelete(s, currentAuth) - if err != nil { - _ = s.Rollback() - events.CleanupPending(s) + if err := DoDelete(ctx.Request().Context(), currentStruct, currentAuth); err != nil { return err } - if !canDelete { - _ = s.Rollback() - events.CleanupPending(s) - log.Warningf("Tried to delete while not having the permissions for it (User: %v)", currentAuth) - return echo.NewHTTPError(http.StatusForbidden, "Forbidden") - } - - err = currentStruct.Delete(s, currentAuth) - if err != nil { - _ = s.Rollback() - events.CleanupPending(s) - return err - } - - err = s.Commit() - if err != nil { - events.CleanupPending(s) - return err - } - - events.DispatchPending(s) return ctx.JSON(http.StatusOK, message{"Successfully deleted."}) }