fix: Order of any kind should not be deleted except by admin (#6573)

* Only Admin should be allowed to delete an order.

* Remove redundant before_delete_object and raise proper exception.

* Required changes.

Co-authored-by: Areeb Jamal <[email protected]>

Author: prateekj117

app/api/orders.py

@@ -431,27 +431,13 @@ def after_update_object(self, order, data, view_kwargs):
                 send_notif_ticket_purchase_organizer(order.event.owner, order.invoice_number, order_url,
                                                      order.event.name, order.identifier)
 
-    def before_delete_object(self, order, view_kwargs):
-        """
-        method to check for proper permissions for deleting
-        :param order:
-        :param view_kwargs:
-        :return:
-        """
-        if not has_access('is_coorganizer', event_id=order.event.id):
-            raise ForbiddenException({'source': ''}, 'Access Forbidden')
-        elif order.amount and order.amount > 0 and (order.status == 'completed' or order.status == 'placed'):
-            raise ConflictException({'source': ''}, 'You cannot delete a placed/completed paid order.')
-
     # This is to ensure that the permissions manager runs and hence changes the kwarg from order identifier to id.
-    decorators = (jwt_required, api.has_permission(
-        'auth_required', methods="PATCH,DELETE", model=Order),)
+    decorators = (jwt_required, api.has_permission('is_admin', methods="DELETE", model=Order),)
     schema = OrderSchema
     data_layer = {'session': db.session,
                   'model': Order,
                   'methods': {
                       'before_update_object': before_update_object,
-                      'before_delete_object': before_delete_object,
                       'before_get_object': before_get_object,
                       'after_update_object': after_update_object
                   }}