fix: get superuser from user table instead of access token

hotosm · Oct 1, 2024 · 9d0766f · 9d0766f
1 parent 002ee20
commit 9d0766f
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/backend/app/projects/project_routes.py b/src/backend/app/projects/project_routes.py
@@ -31,6 +31,7 @@
 from app.users.user_schemas import AuthUser
 from app.tasks import task_schemas
 from app.utils import geojson_to_kml
+from app.users import user_schemas
 
 
 router = APIRouter(
@@ -152,9 +153,9 @@ async def delete_project_by_id(
         HTTPException: If the project is not found.
     """
     user_id = user_data.id
-
+    user = await user_schemas.DbUser.get_user_by_id(db, user_id)
     # Allow deletion if the user is the project creator or a superuser
-    if project.author_id != user_id and not user_data.is_superuser:
+    if project.author_id != user_id and not user.get("is_superuser"):
         raise HTTPException(
             status_code=HTTPStatus.FORBIDDEN,
             detail="User not authorized to delete this project.",