From ab5b7612168c4040cc3a3e18584463b09159cacc Mon Sep 17 00:00:00 2001
From: Parsa Nazer <parsa.nazerrr@gmail.com>
Date: Thu, 13 Mar 2025 19:01:20 +0330
Subject: [PATCH] delete item update and permisons for it

---
 backend/order/permissons.py | 15 +++++++++++++++
 backend/order/views.py      | 18 ++++++++++--------
 2 files changed, 25 insertions(+), 8 deletions(-)
 create mode 100644 backend/order/permissons.py

diff --git a/backend/order/permissons.py b/backend/order/permissons.py
new file mode 100644
index 0000000..7b0ef86
--- /dev/null
+++ b/backend/order/permissons.py
@@ -0,0 +1,15 @@
+from rest_framework.permissions import BasePermission
+
+class CanDeleteCartItemPermissions(BasePermission):
+    message = "شما دسترسی حذف این ایتم رو ندارید"
+
+    def has_object_permission(self, request, view, obj):
+        if obj.order.user != request.user:
+            self.message = "این آیتم متعلق به سبد خرید شما نیست."
+            return False
+        
+        if obj.order.status != 'CART':
+            self.message = "وضعیت سفارش سبد خرید نیست و آیتمی را نمی‌توانید حذف کنید."
+            return False
+        
+        return True
\ No newline at end of file
diff --git a/backend/order/views.py b/backend/order/views.py
index 9c24245..2b771b4 100644
--- a/backend/order/views.py
+++ b/backend/order/views.py
@@ -8,6 +8,7 @@ from .serializers import *
 # from cart.models import 
 from rest_framework import status
 from .models import OrderItemModel, OrderModel, DiscountCode
+from .permissons import CanDeleteCartItemPermissions
 try:
     pass
 except DiscountNotAvailableError:
@@ -78,16 +79,17 @@ class CartItemViews(APIView):
     
     
     def delete(self, request, pk):
-        product_variant = get_object_or_404(ProductVariant, pk=pk)
+        order_item = get_object_or_404(OrderItemModel, pk=pk)
+        permission = CanDeleteCartItemPermissions()
+
+        if not permission.has_object_permission(request, self, order_item):
+            return Response({"detail": permission.message}, status=status.HTTP_403_FORBIDDEN)
 
-        cart_order, created = OrderModel.objects.get_or_create(
-            user=request.user,
-            status='CART'
-        )
-        order_item = get_object_or_404(OrderItemModel, order=cart_order, product=product_variant)
         order_item.delete()
-        return Response({'detail': f'محصول {product_variant.product.name} از سبد خرید پاک شد'}, status=status.HTTP_204_NO_CONTENT)
-
+        return Response(
+            {"detail": f"محصول {order_item.product.name} از سبد خرید پاک شد"},
+            status=status.HTTP_204_NO_CONTENT,
+        )
 
 
 class CartView(APIView):