metaservice/tickets/views/del_list.py

from django.contrib import messages
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.exceptions import PermissionDenied
from django.http import HttpResponse
from django.shortcuts import get_object_or_404, redirect, render

from tickets.models import TaskList
from tickets.utils import staff_check


@login_required
@user_passes_test(staff_check)
def del_list(request, list_id: int, list_slug: str) -> HttpResponse:
    """Delete an entire list. Only staff members should be allowed to access this view.
    """
    task_list = get_object_or_404(TaskList, id=list_id)

    # Ensure user has permission to delete list. Get the group this list belongs to,
    # and check whether current user is a member of that group AND a staffer.
    if task_list.group not in request.user.groups.all():
        raise PermissionDenied    
    if not request.user.is_staff:
        raise PermissionDenied

    if request.method == "POST":
        TaskList.objects.get(id=task_list.id).delete()
        messages.success(request, "{list_name} is gone.".format(list_name=task_list.name))
        return redirect("tickets:lists")

    context = {
        "task_list": task_list
    }

    return render(request, "tickets/del_list.html", context)