From 5eb1e609cc686c14796cc49c3d32e7d88c22c170 Mon Sep 17 00:00:00 2001
From: klmp200 <klmp200@klmp200.net>
Date: Mon, 27 Mar 2017 22:47:24 +0200
Subject: [PATCH 1/5] Fixed tests issues

---
 core/views/forms.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/views/forms.py b/core/views/forms.py
index 1fd45cd9..8751095b 100644
--- a/core/views/forms.py
+++ b/core/views/forms.py
@@ -5,6 +5,7 @@ from django.core.exceptions import ValidationError
 from django.contrib.auth import logout, login, authenticate
 from django.forms import CheckboxSelectMultiple, Select, DateInput, TextInput, DateTimeInput
 from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import ugettext
 from phonenumber_field.widgets import PhoneNumberInternationalFallbackWidget
 from ajax_select.fields import AutoCompleteSelectField
 
@@ -59,7 +60,7 @@ class SelectFile(TextInput):
                 'title': _("Choose file"),
                 'name': name,
                 }
-        output += '<span name="' + name + '" class="choose_file_button">' + _("Choose file") + '</span>'
+        output += '<span name="' + name + '" class="choose_file_button">' + ugettext("Choose file") + '</span>'
         return output
 
 class SelectUser(TextInput):
@@ -73,7 +74,7 @@ class SelectUser(TextInput):
                 'title': _("Choose user"),
                 'name': name,
                 }
-        output += '<span name="' + name + '" class="choose_user_button">' + _("Choose user") + '</span>'
+        output += '<span name="' + name + '" class="choose_user_button">' + ugettext("Choose user") + '</span>'
         return output
 
 # Forms

From ccd67e50b80cdae87835afee15a55ed19ef0ccbb Mon Sep 17 00:00:00 2001
From: klmp200 <klmp200@klmp200.net>
Date: Mon, 27 Mar 2017 23:24:25 +0200
Subject: [PATCH 2/5] Avoid unothorised customer to buy in counter by modifying
 url

---
 counter/models.py |  7 ++++++-
 counter/views.py  | 15 +++++++++------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/counter/models.py b/counter/models.py
index cffae67e..f0cf0495 100644
--- a/counter/models.py
+++ b/counter/models.py
@@ -6,7 +6,7 @@ from django.core.urlresolvers import reverse
 from django.forms import ValidationError
 from django.contrib.sites.shortcuts import get_current_site
 
-from datetime import timedelta
+from datetime import timedelta, date
 import random
 import string
 import os
@@ -35,6 +35,11 @@ class Customer(models.Model):
     def __str__(self):
         return "%s - %s" % (self.user.username, self.account_id)
 
+    @property
+    def can_buy(self):
+        return (self.user.subscriptions.last() and
+                (date.today() - self.user.subscriptions.last().subscription_end) < timedelta(days=90))
+
     def generate_account_id(number):
         number = str(number)
         letter = random.choice(string.ascii_lowercase)
diff --git a/counter/views.py b/counter/views.py
index a703ae03..4116b433 100644
--- a/counter/views.py
+++ b/counter/views.py
@@ -1,4 +1,5 @@
-from django.shortcuts import render
+from django.shortcuts import render, get_object_or_404
+from django.http import Http404
 from django.core.exceptions import PermissionDenied
 from django.views.generic import ListView, DetailView, RedirectView, TemplateView
 from django.views.generic.edit import UpdateView, CreateView, DeleteView, ProcessFormView, FormMixin
@@ -49,9 +50,7 @@ class GetUserForm(forms.Form):
             cus = Customer.objects.filter(account_id__iexact=cleaned_data['code']).first()
         elif cleaned_data['id'] is not None:
             cus = Customer.objects.filter(user=cleaned_data['id']).first()
-        sub = cus.user if cus is not None else None
-        if (cus is None or sub is None or not sub.subscriptions.last() or
-            (date.today() - sub.subscriptions.last().subscription_end) > timedelta(days=90)):
+        if (cus is None or not cus.can_buy):
             raise forms.ValidationError(_("User not found"))
         cleaned_data['user_id'] = cus.user.id
         cleaned_data['user'] = cus.user
@@ -159,9 +158,14 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
     pk_url_kwarg = "counter_id"
     current_tab = "counter"
 
+    def dispatch(self, request, *args, **kwargs):
+        self.customer = get_object_or_404(Customer, user__id=self.kwargs['user_id'])
+        if not self.customer.can_buy:
+            raise Http404
+        return super(CounterClick, self).dispatch(request, *args, **kwargs)
+
     def get(self, request, *args, **kwargs):
         """Simple get view"""
-        self.customer = Customer.objects.filter(user__id=self.kwargs['user_id']).first()
         if 'basket' not in request.session.keys(): # Init the basket session entry
             request.session['basket'] = {}
             request.session['basket_total'] = 0
@@ -180,7 +184,6 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
     def post(self, request, *args, **kwargs):
         """ Handle the many possibilities of the post request """
         self.object = self.get_object()
-        self.customer = Customer.objects.filter(user__id=self.kwargs['user_id']).first()
         self.refill_form = None
         if ((self.object.type != "BAR" and not request.user.is_authenticated()) or
                 (self.object.type == "BAR" and

From 0d918d80d3235e44cc96693b71ffd09e07bb85f3 Mon Sep 17 00:00:00 2001
From: klmp200 <klmp200@klmp200.net>
Date: Tue, 28 Mar 2017 00:17:09 +0200
Subject: [PATCH 3/5] Avoid negative value in refilings

---
 counter/views.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/counter/views.py b/counter/views.py
index 4116b433..4de20334 100644
--- a/counter/views.py
+++ b/counter/views.py
@@ -59,12 +59,10 @@ class GetUserForm(forms.Form):
 class RefillForm(forms.ModelForm):
     error_css_class = 'error'
     required_css_class = 'required'
+    amount = forms.FloatField(min_value=0, widget=forms.NumberInput(attrs={'class':'focus'}))
     class Meta:
         model = Refilling
         fields = ['amount', 'payment_method', 'bank']
-        widgets = {
-            'amount': forms.NumberInput(attrs={'class':'focus'},)
-        }
 
 class CounterTabsMixin(TabedViewMixin):
     def get_tabs_title(self):

From dfd465c7f920f76aea1e232a6aa0a31c1dc68272 Mon Sep 17 00:00:00 2001
From: klmp200 <klmp200@klmp200.net>
Date: Tue, 28 Mar 2017 00:48:08 +0200
Subject: [PATCH 4/5] Fix bug where customer can't buy an item when they have
 the just amount

---
 counter/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/counter/views.py b/counter/views.py
index 4de20334..ab06c864 100644
--- a/counter/views.py
+++ b/counter/views.py
@@ -276,7 +276,7 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
             total_qty_mod_6 = self.get_total_quantity_for_pid(request, pid) % 6
             bq = int((total_qty_mod_6 + q) / 6) # Integer division
             q -= bq
-        if self.customer.amount < (total + q*float(price)): # Check for enough money
+        if self.customer.amount < (total + round(q*float(price),2)): # Check for enough money
             request.session['not_enough'] = True
             return False
         if product.limit_age >= 18 and not self.customer.user.date_of_birth:

From 63506b15066e2abe0069e3a362a0530a3e16de1f Mon Sep 17 00:00:00 2001
From: klmp200 <klmp200@klmp200.net>
Date: Tue, 28 Mar 2017 01:03:31 +0200
Subject: [PATCH 5/5] Protect stats from other users

---
 core/views/user.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/core/views/user.py b/core/views/user.py
index 32988906..63bccc4e 100644
--- a/core/views/user.py
+++ b/core/views/user.py
@@ -262,6 +262,14 @@ class UserStatsView(UserTabsMixin, CanViewMixin, DetailView):
     template_name = "core/user_stats.jinja"
     current_tab = 'stats'
 
+    def dispatch(self, request, *arg, **kwargs):
+        profile = self.get_object()
+
+        if (profile != request.user and not request.user.is_root):
+            raise PermissionDenied
+
+        return super(UserStatsView, self).dispatch(request, *arg, **kwargs)
+
     def get_context_data(self, **kwargs):
         kwargs = super(UserStatsView, self).get_context_data(**kwargs)
         from counter.models import Counter, Product, Selling