Fixed CanDelete

models/list_items_rights.go

@@ -1,9 +1,12 @@
 package models
 
 // CanDelete checks if the user can delete an item
-func (i *ListItem) CanDelete(doer *User) bool {
+func (i *ListItem) CanDelete(doer *User, id int64) bool {
+	// Get the item
+	lI, _ := GetListItemByID(id)
+
 	// A user can delete an item if he has write acces to its list
-	list, _ := GetListByID(i.ListID)
+	list, _ := GetListByID(lI.ListID)
 	return list.CanWrite(doer)
 }
 

models/list_rights.go

@@ -81,8 +81,9 @@ func (l *List) CanRead(user *User) bool {
 }
 
 // CanDelete checks if the user can delete a list
-func (l *List) CanDelete(doer *User) bool {
-	return l.IsAdmin(doer)
+func (l *List) CanDelete(doer *User, id int64) bool {
+	list, _ := GetListByID(id)
+	return list.IsAdmin(doer)
 }
 
 // CanUpdate checks if the user can update a list

models/rights.go

@@ -5,7 +5,7 @@ type Rights interface {
 	IsAdmin(*User) bool
 	CanWrite(*User) bool
 	CanRead(*User) bool
-	CanDelete(*User) bool
+	CanDelete(*User, int64) bool
 	CanUpdate(*User, int64) bool
 	CanCreate(*User, int64) bool
 }

routes/crud/delete.go

@@ -19,7 +19,7 @@ func (c *WebHandler) DeleteWeb(ctx echo.Context) error {
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError)
 	}
-	if !c.CObject.CanDelete(&user) {
+	if !c.CObject.CanDelete(&user, id) {
 		return echo.NewHTTPError(http.StatusForbidden)
 	}