Fix counter permissions issues

2024-12-23 16:21:22 +00:00 · 2024-12-23 02:17:28 +01:00 · 2024-12-23 02:17:28 +01:00 · 022c19c020
commit 022c19c020
parent 2e5e217842
3 changed files with 87 additions and 8 deletions
--- a/counter/models.py
+++ b/counter/models.py
@ -527,7 +527,7 @@ class Counter(models.Model):
        if user.is_anonymous:
            return False
        mem = self.club.get_membership_for(user)
-        if mem and mem.role >= 7:
+        if mem and mem.role >= settings.SITH_CLUB_ROLES_ID["Treasurer"]:
            return True
        return user.is_in_group(pk=settings.SITH_GROUP_COUNTER_ADMIN_ID)

--- a/counter/tests/test_counter.py
+++ b/counter/tests/test_counter.py
@ -30,7 +30,7 @@ from freezegun import freeze_time
 from model_bakery import baker

 from club.models import Club, Membership
-from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
+from core.baker_recipes import board_user, subscriber_user
 from core.models import Group, User
 from counter.baker_recipes import product_recipe
 from counter.models import (
@ -67,7 +67,11 @@ class FullClickSetup:
        sub.subscription_end = localdate() - timedelta(days=89)
        sub.save()

-        cls.customer_old_can_not_buy = old_subscriber_user.make()
+        cls.customer_old_can_not_buy = subscriber_user.make()
+        sub = cls.customer_old_can_not_buy.subscriptions.first()
+        sub.subscription_end = localdate() - timedelta(days=90)
+        sub.save()
+
        cls.customer_can_not_buy = baker.make(User)

        cls.club_counter = baker.make(Counter, type="OFFICE")
@ -448,7 +452,7 @@ class TestCounterClick(FullClickSetup, TestCase):
            assert resp.status_code == 302
            assert resp.url == resolve_url(self.counter)

-            assert self.updated_amount(self.banned_counter_customer) == Decimal("10")
+            assert self.updated_amount(user) == Decimal("10")

    def test_click_user_without_customer(self):
        self.login_in_bar()
@ -462,6 +466,81 @@ class TestCounterClick(FullClickSetup, TestCase):
            == 404
        )

+    def test_click_allowed_old_subscriber(self):
+        self.login_in_bar()
+        self.refill_user(self.customer_old_can_buy, 10)
+        assert (
+            self.submit_basket(
+                self.customer_old_can_buy,
+                [
+                    BasketItem(self.snack.id, 2),
+                ],
+            ).status_code
+            == 302
+        )
+
+        assert self.updated_amount(self.customer_old_can_buy) == Decimal("7")
+
+    def test_click_wrong_counter(self):
+        self.login_in_bar()
+        self.refill_user(self.customer, 10)
+        assert (
+            self.submit_basket(
+                self.customer,
+                [
+                    BasketItem(self.snack.id, 2),
+                ],
+                counter=self.other_counter,
+            ).status_code
+            == 302  # Redirect to counter main
+        )
+
+        # We want to test sending requests from another counter while
+        # we are currently registered to another counter
+        # so we connect to a counter and
+        # we create a new client, in order to check
+        # that using a client not logged to a counter
+        # where another client is logged still isn't authorized.
+        client = Client()
+        assert (
+            self.submit_basket(
+                self.customer,
+                [
+                    BasketItem(self.snack.id, 2),
+                ],
+                counter=self.counter,
+                client=client,
+            ).status_code
+            == 302  # Redirect to counter main
+        )
+
+        assert self.updated_amount(self.customer) == Decimal("10")
+
+    def test_click_not_connected(self):
+        self.refill_user(self.customer, 10)
+        assert (
+            self.submit_basket(
+                self.customer,
+                [
+                    BasketItem(self.snack.id, 2),
+                ],
+            ).status_code
+            == 302  # Redirect to counter main
+        )
+
+        assert (
+            self.submit_basket(
+                self.customer,
+                [
+                    BasketItem(self.snack.id, 2),
+                ],
+                counter=self.club_counter,
+            ).status_code
+            == 403
+        )
+
+        assert self.updated_amount(self.customer) == Decimal("10")
+
    def test_annotate_has_barman_queryset(self):
        """Test if the custom queryset method `annotate_has_barman` works as intended."""
        counters = Counter.objects.annotate_has_barman(self.barmen)
--- a/counter/views/click.py
+++ b/counter/views/click.py
@ -149,7 +149,7 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
    current_tab = "counter"

    def get_queryset(self):
-        return super().get_queryset().exclude(type="EBOUTIC")
+        return super().get_queryset().exclude(type="EBOUTIC").annotate_is_open()

    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()
@ -167,13 +167,13 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
        if not self.customer.can_buy or self.customer.user.is_banned_counter:
            return redirect(obj)  # Redirect to counter

-        if obj.type != "BAR" and not request.user.is_authenticated:
+        if obj.type == "OFFICE" and not obj.club.has_rights_in_club(request.user):
            raise PermissionDenied

        if obj.type == "BAR" and (
-            "counter_token" not in request.session
+            not obj.is_open
+            or "counter_token" not in request.session
            or request.session["counter_token"] != obj.token
-            or len(obj.barmen_list) == 0
        ):
            return redirect(obj)  # Redirect to counter