From fe070304877b887c50faf051840731651d1ecac6 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Tue, 4 Sep 2018 13:02:19 +0700
Subject: [PATCH] Only Administrator users can remove the history

---
 app/templates/admin_history.html | 2 +-
 app/views.py                     | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/templates/admin_history.html b/app/templates/admin_history.html
index 936cc7a..82f555b 100644
--- a/app/templates/admin_history.html
+++ b/app/templates/admin_history.html
@@ -23,7 +23,7 @@
                     <h3 class="box-title">History Management</h3>
                 </div>
                 <div class="box-body clearfix">
-                    <button type="button" class="btn btn-flat btn-danger pull-right" data-toggle="modal" data-target="#modal_clear_history">
+                    <button type="button" class="btn btn-flat btn-danger pull-right" data-toggle="modal" data-target="#modal_clear_history" {% if current_user.role != 'Administrator' %}disabled{% endif %}>
                         Clear History&nbsp;<i class="fa fa-trash"></i>
                     </button>
                 </div>
diff --git a/app/views.py b/app/views.py
index 9c51a23..2a8d1e2 100644
--- a/app/views.py
+++ b/app/views.py
@@ -1324,12 +1324,14 @@ def admin_manageaccount():
 @operator_role_required
 def admin_history():
     if request.method == 'POST':
+        if current_user.role != 'Administrator':
+            return make_response(jsonify( { 'status': 'error', 'msg': 'You do not have permission to remove history.' } ), 401)
+
         h = History()
         result = h.remove_all()
         if result:
             history = History(msg='Remove all histories', created_by=current_user.username)
             history.add()
-
             return make_response(jsonify( { 'status': 'ok', 'msg': 'Changed user role successfully.' } ), 200)
         else:
             return make_response(jsonify( { 'status': 'error', 'msg': 'Can not remove histories.' } ), 500)