From 0e44c36e090a37fae50afbf9e7356a0715e8fbea Mon Sep 17 00:00:00 2001
From: Stef <stbuwalda@gmail.com>
Date: Wed, 2 Jul 2025 16:08:25 +0200
Subject: [PATCH] Restrict food deletion to item owner

Added a check to ensure only the owner of a FoodItem can delete it. This improves security by preventing unauthorized deletions.
---
 application/admin/routes.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/application/admin/routes.py b/application/admin/routes.py
index 772e917..b006dad 100644
--- a/application/admin/routes.py
+++ b/application/admin/routes.py
@@ -32,7 +32,7 @@ def barcode_test():
 def delete_food(id):
     item = FoodItem.query.get(id)
     if item:
-        # if item.owner_id == current_user.id:
-        db.session.delete(item)
-        db.session.commit()
+        if item.owner_id == current_user.id:
+            db.session.delete(item)
+            db.session.commit()
     return redirect(url_for("admin.food_items"))