From 018ca84e2d2a558d3d4a687c6a882e308db9f7b2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 5 Aug 2020 20:40:30 +0200 Subject: [PATCH] Prevent superusers when they make a transaction with a non-member user --- apps/note/api/serializers.py | 19 ++++++++++++++++++- apps/note/models/transactions.py | 3 ++- static/js/base.js | 5 ++++- static/js/consos.js | 3 +++ static/js/transfer.js | 24 ++++++++++++++++++------ 5 files changed, 45 insertions(+), 9 deletions(-) diff --git a/apps/note/api/serializers.py b/apps/note/api/serializers.py index 99ee2cc1..b4fceeda 100644 --- a/apps/note/api/serializers.py +++ b/apps/note/api/serializers.py @@ -1,8 +1,12 @@ # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay # SPDX-License-Identifier: GPL-3.0-or-later - +from django.utils import timezone from rest_framework import serializers +from rest_framework.serializers import ListSerializer from rest_polymorphic.serializers import PolymorphicSerializer + +from member.api.serializers import MembershipSerializer +from member.models import Membership from note_kfet.middlewares import get_current_authenticated_user from permission.backends import PermissionBackend from rest_framework.utils import model_meta @@ -109,6 +113,8 @@ class ConsumerSerializer(serializers.ModelSerializer): email_confirmed = serializers.SerializerMethodField() + membership = serializers.SerializerMethodField() + class Meta: model = Alias fields = '__all__' @@ -127,6 +133,17 @@ class ConsumerSerializer(serializers.ModelSerializer): return obj.note.user.profile.email_confirmed return True + def get_membership(self, obj): + if isinstance(obj.note, NoteUser): + memberships = Membership.objects.filter( + PermissionBackend.filter_queryset(get_current_authenticated_user(), Membership, "view")).filter( + user=obj.note.user, + club=2, # Kfet + ).order_by("-date_start") + if memberships.exists(): + return MembershipSerializer().to_representation(memberships.first()) + return None + class TemplateCategorySerializer(serializers.ModelSerializer): """ diff --git a/apps/note/models/transactions.py b/apps/note/models/transactions.py index 3d7aeb58..6a5d4680 100644 --- a/apps/note/models/transactions.py +++ b/apps/note/models/transactions.py @@ -202,7 +202,8 @@ class Transaction(PolymorphicModel): When saving, also transfer money between two notes """ with transaction.atomic(): - self.refresh_from_db() + if self.pk: + self.refresh_from_db() self.source.refresh_from_db() self.destination.refresh_from_db() self.validate(False) diff --git a/static/js/base.js b/static/js/base.js index 52fce901..5400bf5d 100644 --- a/static/js/base.js +++ b/static/js/base.js @@ -105,8 +105,10 @@ function displayStyle(note) { css += " text-danger"; else if (balance < 0) css += " text-warning"; - if (!note.email_confirmed) + else if (!note.email_confirmed) css += " text-white bg-primary"; + else if (note.membership && note.membership.date_end < new Date().toISOString()) + css += "text-white bg-info"; return css; } @@ -263,6 +265,7 @@ function autoCompleteNote(field_id, note_list_id, notes, notes_display, alias_pr consumers.results.forEach(function (consumer) { let note = consumer.note; note.email_confirmed = consumer.email_confirmed; + note.membership = consumer.membership; let extra_css = displayStyle(note); aliases_matched_html += li(alias_prefix + '_' + consumer.id, consumer.name, diff --git a/static/js/consos.js b/static/js/consos.js index cb6b730f..a953eee3 100644 --- a/static/js/consos.js +++ b/static/js/consos.js @@ -218,6 +218,9 @@ function consume(source, source_alias, dest, quantity, amount, reason, type, cat addMsg("Attention, La transaction depuis la note " + source_alias + " a été réalisée avec " + "succès, mais la note émettrice " + source_alias + " est en négatif.", "warning", 30000); + if (source.note.membership && source.note.membership.date_end > new Date().toISOString()) + addMsg("Attention : la note émettrice " + source.name + " n'est plus adhérente.", + "danger", 30000); } reset(); }).fail(function (e) { diff --git a/static/js/transfer.js b/static/js/transfer.js index 88368a27..6e2f183c 100644 --- a/static/js/transfer.js +++ b/static/js/transfer.js @@ -260,6 +260,13 @@ $("#btn_transfer").click(function() { "destination": dest.note.id, "destination_alias": dest.name }).done(function () { + if (source.note.membership && source.note.membership.date_end > new Date().toISOString()) + addMsg("Attention : la note émettrice " + source.name + " n'est plus adhérente.", + "danger", 30000); + if (dest.note.membership && dest.note.membership.date_end > new Date().toISOString()) + addMsg("Attention : la note destination " + dest.name + " n'est plus adhérente.", + "danger", 30000); + if (!isNaN(source.note.balance)) { let newBalance = source.note.balance - source.quantity * dest.quantity * amount; if (newBalance <= -5000) { @@ -327,19 +334,22 @@ $("#btn_transfer").click(function() { } else if ($("#type_credit").is(':checked') || $("#type_debit").is(':checked')) { let special_note = $("#credit_type").val(); let user_note; + let alias; let given_reason = reason; let source_id, dest_id; if ($("#type_credit").is(':checked')) { - user_note = dests_notes_display[0].note.id; + user_note = dests_notes_display[0].note; + alias = dests_notes_display[0].name; source_id = special_note; - dest_id = user_note; + dest_id = user_note.id; reason = "Crédit " + $("#credit_type option:selected").text().toLowerCase(); if (given_reason.length > 0) reason += " (" + given_reason + ")"; } else { - user_note = sources_notes_display[0].note.id; - source_id = user_note; + user_note = sources_notes_display[0].note; + alias = sources_notes_display[0].name; + source_id = user_note.id; dest_id = special_note; reason = "Retrait " + $("#credit_type option:selected").text().toLowerCase(); if (given_reason.length > 0) @@ -355,14 +365,16 @@ $("#btn_transfer").click(function() { "polymorphic_ctype": SPECIAL_TRANSFER_POLYMORPHIC_CTYPE, "resourcetype": "SpecialTransaction", "source": source_id, - "source_alias": sources_notes_display.length ? sources_notes_display[0].name : null, + "source_alias": sources_notes_display.length ? alias : null, "destination": dest_id, - "destination_alias": dests_notes_display.length ? dests_notes_display[0].name : null, + "destination_alias": dests_notes_display.length ? alias : null, "last_name": $("#last_name").val(), "first_name": $("#first_name").val(), "bank": $("#bank").val() }).done(function () { addMsg("Le crédit/retrait a bien été effectué !", "success", 10000); + if (user_note.membership && user_note.membership.date_end > new Date().toISOString()) + addMsg("Attention : la note " + alias + " n'est plus adhérente.", "danger", 10000); reset(); }).fail(function (err) { let errObj = JSON.parse(err.responseText);