Avoid unothorised customer to buy in counter by modifying url

2024-06-26 16:38:06 +00:00 · 2017-03-27 23:24:25 +02:00 · 2017-03-27 23:24:25 +02:00 · ccd67e50b8
commit ccd67e50b8
parent 5eb1e609cc
2 changed files with 15 additions and 7 deletions
--- a/counter/models.py
+++ b/counter/models.py
@ -6,7 +6,7 @@ from django.core.urlresolvers import reverse
 from django.forms import ValidationError
 from django.contrib.sites.shortcuts import get_current_site

-from datetime import timedelta
+from datetime import timedelta, date
 import random
 import string
 import os
@ -35,6 +35,11 @@ class Customer(models.Model):
    def __str__(self):
        return "%s - %s" % (self.user.username, self.account_id)

+    @property
+    def can_buy(self):
+        return (self.user.subscriptions.last() and
+                (date.today() - self.user.subscriptions.last().subscription_end) < timedelta(days=90))
+
    def generate_account_id(number):
        number = str(number)
        letter = random.choice(string.ascii_lowercase)
--- a/counter/views.py
+++ b/counter/views.py
@ -1,4 +1,5 @@
-from django.shortcuts import render
+from django.shortcuts import render, get_object_or_404
+from django.http import Http404
 from django.core.exceptions import PermissionDenied
 from django.views.generic import ListView, DetailView, RedirectView, TemplateView
 from django.views.generic.edit import UpdateView, CreateView, DeleteView, ProcessFormView, FormMixin
@ -49,9 +50,7 @@ class GetUserForm(forms.Form):
            cus = Customer.objects.filter(account_id__iexact=cleaned_data['code']).first()
        elif cleaned_data['id'] is not None:
            cus = Customer.objects.filter(user=cleaned_data['id']).first()
-        sub = cus.user if cus is not None else None
-        if (cus is None or sub is None or not sub.subscriptions.last() or
-            (date.today() - sub.subscriptions.last().subscription_end) > timedelta(days=90)):
+        if (cus is None or not cus.can_buy):
            raise forms.ValidationError(_("User not found"))
        cleaned_data['user_id'] = cus.user.id
        cleaned_data['user'] = cus.user
@ -159,9 +158,14 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
    pk_url_kwarg = "counter_id"
    current_tab = "counter"

+    def dispatch(self, request, *args, **kwargs):
+        self.customer = get_object_or_404(Customer, user__id=self.kwargs['user_id'])
+        if not self.customer.can_buy:
+            raise Http404
+        return super(CounterClick, self).dispatch(request, *args, **kwargs)
+
    def get(self, request, *args, **kwargs):
        """Simple get view"""
-        self.customer = Customer.objects.filter(user__id=self.kwargs['user_id']).first()
        if 'basket' not in request.session.keys(): # Init the basket session entry
            request.session['basket'] = {}
            request.session['basket_total'] = 0
@ -180,7 +184,6 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
    def post(self, request, *args, **kwargs):
        """ Handle the many possibilities of the post request """
        self.object = self.get_object()
-        self.customer = Customer.objects.filter(user__id=self.kwargs['user_id']).first()
        self.refill_form = None
        if ((self.object.type != "BAR" and not request.user.is_authenticated()) or
                (self.object.type == "BAR" and