mirror of
https://github.com/ae-utbm/sith.git
synced 2024-12-22 15:51:19 +00:00
Avoid unothorised customer to buy in counter by modifying url
This commit is contained in:
parent
5eb1e609cc
commit
ccd67e50b8
@ -6,7 +6,7 @@ from django.core.urlresolvers import reverse
|
||||
from django.forms import ValidationError
|
||||
from django.contrib.sites.shortcuts import get_current_site
|
||||
|
||||
from datetime import timedelta
|
||||
from datetime import timedelta, date
|
||||
import random
|
||||
import string
|
||||
import os
|
||||
@ -35,6 +35,11 @@ class Customer(models.Model):
|
||||
def __str__(self):
|
||||
return "%s - %s" % (self.user.username, self.account_id)
|
||||
|
||||
@property
|
||||
def can_buy(self):
|
||||
return (self.user.subscriptions.last() and
|
||||
(date.today() - self.user.subscriptions.last().subscription_end) < timedelta(days=90))
|
||||
|
||||
def generate_account_id(number):
|
||||
number = str(number)
|
||||
letter = random.choice(string.ascii_lowercase)
|
||||
|
@ -1,4 +1,5 @@
|
||||
from django.shortcuts import render
|
||||
from django.shortcuts import render, get_object_or_404
|
||||
from django.http import Http404
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.views.generic import ListView, DetailView, RedirectView, TemplateView
|
||||
from django.views.generic.edit import UpdateView, CreateView, DeleteView, ProcessFormView, FormMixin
|
||||
@ -49,9 +50,7 @@ class GetUserForm(forms.Form):
|
||||
cus = Customer.objects.filter(account_id__iexact=cleaned_data['code']).first()
|
||||
elif cleaned_data['id'] is not None:
|
||||
cus = Customer.objects.filter(user=cleaned_data['id']).first()
|
||||
sub = cus.user if cus is not None else None
|
||||
if (cus is None or sub is None or not sub.subscriptions.last() or
|
||||
(date.today() - sub.subscriptions.last().subscription_end) > timedelta(days=90)):
|
||||
if (cus is None or not cus.can_buy):
|
||||
raise forms.ValidationError(_("User not found"))
|
||||
cleaned_data['user_id'] = cus.user.id
|
||||
cleaned_data['user'] = cus.user
|
||||
@ -159,9 +158,14 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
|
||||
pk_url_kwarg = "counter_id"
|
||||
current_tab = "counter"
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
self.customer = get_object_or_404(Customer, user__id=self.kwargs['user_id'])
|
||||
if not self.customer.can_buy:
|
||||
raise Http404
|
||||
return super(CounterClick, self).dispatch(request, *args, **kwargs)
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
"""Simple get view"""
|
||||
self.customer = Customer.objects.filter(user__id=self.kwargs['user_id']).first()
|
||||
if 'basket' not in request.session.keys(): # Init the basket session entry
|
||||
request.session['basket'] = {}
|
||||
request.session['basket_total'] = 0
|
||||
@ -180,7 +184,6 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
|
||||
def post(self, request, *args, **kwargs):
|
||||
""" Handle the many possibilities of the post request """
|
||||
self.object = self.get_object()
|
||||
self.customer = Customer.objects.filter(user__id=self.kwargs['user_id']).first()
|
||||
self.refill_form = None
|
||||
if ((self.object.type != "BAR" and not request.user.is_authenticated()) or
|
||||
(self.object.type == "BAR" and
|
||||
|
Loading…
Reference in New Issue
Block a user