-@app.route("/motion/<int:motion>/cancel", methods=['POST'])
-def cancel_motion(motion):
- rv = get_db().prepare("SELECT type FROM motion WHERE id=$1")(motion);
- if len(rv) == 0:
- return "Error, Not found", 404
- if not may("cancel", rv[0].get("type")):
- return "Forbidden", 403
+def validate_motion_access(privilege):
+ def decorator(f):
+ def decorated_function(motion):
+ db = get_db()
+ with db.xact():
+ rv = db.prepare("SELECT id, type, deadline < CURRENT_TIMESTAMP AS expired, canceled FROM motion WHERE identifier=$1 AND host=$2")(motion, request.host);
+ if len(rv) == 0:
+ return "Error, Not found", 404
+ id = rv[0].get("id")
+ if not may(privilege, rv[0].get("type")):
+ return "Forbidden", 403
+ if rv[0].get("canceled") is not None:
+ return "Error, motion was canceled", 403
+ if rv[0].get("expired"):
+ return "Error, out of time", 403
+ return f(motion, id)
+ decorated_function.__name__ = f.__name__
+ return decorated_function
+ return decorator
+
+@app.route("/motion/<string:motion>/cancel", methods=['POST'])
+@validate_motion_access('cancel')
+def cancel_motion(motion, id):