Fix admin panel delete post functionality

[mtthwm]

On the post admin page, the delete button doesn't work. When you click, it basically just reloads the page. I made some quick modifications to get it working by copying what the "POST" route does.

Summary by CodeRabbit

• New Features
  • Added post deletion functionality to the admin panel. Users can now delete posts directly from the admin interface.

[coderabbitai]

📝 Walkthrough

Walkthrough

A POST request handler was added to the admin posts route to enable post deletion. When a delete button is submitted, the handler calls delete_post with the provided post ID and redirects to the admin posts page. The existing GET logic remains unchanged.

Changes

Cohort / File(s)	Summary
Admin Post Deletion Handler app/routes/admin_panel_posts.py	Added POST request handling to delete posts when a delete button is clicked, with redirect to admin posts page. Imported delete_post utility function.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A button for posts to disappear,
With a hop and a click, so sincere,
The admin now dances with glee,
Delete, redirect, swift as can be! 🎀

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description lacks required sections from the template including the Fixes issue reference and detailed Proposed Changes list.	Add the issue number in 'Fixes #' format and expand Proposed Changes with bullet points detailing the modifications made to implement the delete functionality.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing the delete post functionality in the admin panel, which matches the core purpose of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can enable review details to help with troubleshooting, context usage and more.

Enable the reviews.review_details setting to include review details such as the model used, the time taken for each step and more in the review comments.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/routes/admin_panel_posts.py`:
- Around line 22-25: When handling the POST branch that checks for
"post_delete_button", validate the post_id before using it: use
request.form.get("post_id") (or check "post_id" in request.form and that it's
not empty), and if missing/empty, avoid calling delete_post and instead return
an appropriate response (e.g., flash an error and redirect back to
"/admin/posts" or abort with a 400). Update the block that references
"post_delete_button", request.form and delete_post to perform this presence
check and handle the error path.
- Around line 19-25: Current code only checks for "username" in session before
allowing delete_post; add an admin-role check like in
admin_panel.py/admin_panel_users.py to prevent non-admins from deleting.
Specifically, after confirming "username" in session, verify session.get("role")
(or the same session key used in admin_panel.py) equals the admin role
constant/string and only then call delete_post(request.form["post_id"]);
otherwise redirect or abort (e.g., redirect("/admin") or return a 403). Update
the POST branch handling (around delete_post) to perform this role check and
mirror the behavior used by admin_panel.py/admin_panel_users.py.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 737e18ac-0f1b-4f9b-8a9c-1f7da7cb5b72

📥 Commits

Reviewing files that changed from the base of the PR and between fe7a05a and 5bf498a.

📒 Files selected for processing (1)

• app/routes/admin_panel_posts.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check how admin authorization is handled in other admin panel routes

# Search for admin role checks in admin panel routes
rg -n -C3 'admin|role|permission' --glob '**/admin*.py'

Repository: DogukanUrker/FlaskBlog

Length of output: 9724

---

Add admin role verification before allowing post deletion.

The code only checks if a user is logged in ("username" in session) but does not verify admin privileges. This allows any authenticated user to delete posts. Other admin routes correctly verify admin role (admin_panel.py, admin_panel_users.py). Add a role check similar to those routes before executing delete_post().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/routes/admin_panel_posts.py` around lines 19 - 25, Current code only
checks for "username" in session before allowing delete_post; add an admin-role
check like in admin_panel.py/admin_panel_users.py to prevent non-admins from
deleting. Specifically, after confirming "username" in session, verify
session.get("role") (or the same session key used in admin_panel.py) equals the
admin role constant/string and only then call
delete_post(request.form["post_id"]); otherwise redirect or abort (e.g.,
redirect("/admin") or return a 403). Update the POST branch handling (around
delete_post) to perform this role check and mirror the behavior used by
admin_panel.py/admin_panel_users.py.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing validation for post_id form field.

If the form contains post_delete_button but post_id is missing or empty, this will raise a KeyError. Validate presence before use.

🛡️ Proposed fix to add validation

         if request.method == "POST":
             if "post_delete_button" in request.form:
+                post_id = request.form.get("post_id")
+                if not post_id:
+                    return redirect("/admin/posts")
-                delete_post(request.form["post_id"])
+                delete_post(post_id)
                 return redirect("/admin/posts")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if request.method == "POST":
	if "post_delete_button" in request.form:
	delete_post(request.form["post_id"])
	return redirect("/admin/posts")
	if request.method == "POST":
	if "post_delete_button" in request.form:
	post_id = request.form.get("post_id")
	if not post_id:
	return redirect("/admin/posts")
	delete_post(post_id)
	return redirect("/admin/posts")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/routes/admin_panel_posts.py` around lines 22 - 25, When handling the POST
branch that checks for "post_delete_button", validate the post_id before using
it: use request.form.get("post_id") (or check "post_id" in request.form and that
it's not empty), and if missing/empty, avoid calling delete_post and instead
return an appropriate response (e.g., flash an error and redirect back to
"/admin/posts" or abort with a 400). Update the block that references
"post_delete_button", request.form and delete_post to perform this presence
check and handle the error path.