ynerant
/
nk20
mirror of https://gitlab.crans.org/bde/nk20
1
0
Fork 0
Code Issues Releases Wiki Activity

Prevent superusers when they make a transaction with a non-member user

This commit is contained in:
Yohann D'ANELLO 2020-08-05 20:40:30 +02:00
parent 2851d7764c
commit 018ca84e2d
5 changed files with 45 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apps/note/api/serializers.py
View File

@ -1,8 +1,12 @@
# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
from django.utils import timezone
from rest_framework import serializers from rest_framework import serializers
from rest_framework.serializers import ListSerializer
from rest_polymorphic.serializers import PolymorphicSerializer from rest_polymorphic.serializers import PolymorphicSerializer
from member.api.serializers import MembershipSerializer
from member.models import Membership
from note_kfet.middlewares import get_current_authenticated_user from note_kfet.middlewares import get_current_authenticated_user
from permission.backends import PermissionBackend from permission.backends import PermissionBackend
from rest_framework.utils import model_meta from rest_framework.utils import model_meta
@ -109,6 +113,8 @@ class ConsumerSerializer(serializers.ModelSerializer):
email_confirmed = serializers.SerializerMethodField() email_confirmed = serializers.SerializerMethodField()
membership = serializers.SerializerMethodField()
class Meta: class Meta:
model = Alias model = Alias
fields = '__all__' fields = '__all__'
@ -127,6 +133,17 @@ class ConsumerSerializer(serializers.ModelSerializer):
return obj.note.user.profile.email_confirmed return obj.note.user.profile.email_confirmed
return True return True
def get_membership(self, obj):
if isinstance(obj.note, NoteUser):
memberships = Membership.objects.filter(
PermissionBackend.filter_queryset(get_current_authenticated_user(), Membership, "view")).filter(
user=obj.note.user,
club=2, # Kfet
).order_by("-date_start")
if memberships.exists():
return MembershipSerializer().to_representation(memberships.first())
return None
class TemplateCategorySerializer(serializers.ModelSerializer): class TemplateCategorySerializer(serializers.ModelSerializer):
""" """

1
apps/note/models/transactions.py
View File

@ -202,6 +202,7 @@ class Transaction(PolymorphicModel):
When saving, also transfer money between two notes When saving, also transfer money between two notes
""" """
with transaction.atomic(): with transaction.atomic():
if self.pk:
self.refresh_from_db() self.refresh_from_db()
self.source.refresh_from_db() self.source.refresh_from_db()
self.destination.refresh_from_db() self.destination.refresh_from_db()

5
static/js/base.js
View File

@ -105,8 +105,10 @@ function displayStyle(note) {
css += " text-danger"; css += " text-danger";
else if (balance < 0) else if (balance < 0)
css += " text-warning"; css += " text-warning";
if (!note.email_confirmed) else if (!note.email_confirmed)
css += " text-white bg-primary"; css += " text-white bg-primary";
else if (note.membership && note.membership.date_end < new Date().toISOString())
css += "text-white bg-info";
return css; return css;
} }
@ -263,6 +265,7 @@ function autoCompleteNote(field_id, note_list_id, notes, notes_display, alias_pr
consumers.results.forEach(function (consumer) { consumers.results.forEach(function (consumer) {
let note = consumer.note; let note = consumer.note;
note.email_confirmed = consumer.email_confirmed; note.email_confirmed = consumer.email_confirmed;
note.membership = consumer.membership;
let extra_css = displayStyle(note); let extra_css = displayStyle(note);
aliases_matched_html += li(alias_prefix + '_' + consumer.id, aliases_matched_html += li(alias_prefix + '_' + consumer.id,
consumer.name, consumer.name,

3
static/js/consos.js
View File

@ -218,6 +218,9 @@ function consume(source, source_alias, dest, quantity, amount, reason, type, cat
addMsg("Attention, La transaction depuis la note " + source_alias + " a été réalisée avec " + addMsg("Attention, La transaction depuis la note " + source_alias + " a été réalisée avec " +
"succès, mais la note émettrice " + source_alias + " est en négatif.", "succès, mais la note émettrice " + source_alias + " est en négatif.",
"warning", 30000); "warning", 30000);
if (source.note.membership && source.note.membership.date_end > new Date().toISOString())
addMsg("Attention : la note émettrice " + source.name + " n'est plus adhérente.",
"danger", 30000);
} }
reset(); reset();
}).fail(function (e) { }).fail(function (e) {

24
static/js/transfer.js
View File

@ -260,6 +260,13 @@ $("#btn_transfer").click(function() {
"destination": dest.note.id, "destination": dest.note.id,
"destination_alias": dest.name "destination_alias": dest.name
}).done(function () { }).done(function () {
if (source.note.membership && source.note.membership.date_end > new Date().toISOString())
addMsg("Attention : la note émettrice " + source.name + " n'est plus adhérente.",
"danger", 30000);
if (dest.note.membership && dest.note.membership.date_end > new Date().toISOString())
addMsg("Attention : la note destination " + dest.name + " n'est plus adhérente.",
"danger", 30000);
if (!isNaN(source.note.balance)) { if (!isNaN(source.note.balance)) {
let newBalance = source.note.balance - source.quantity * dest.quantity * amount; let newBalance = source.note.balance - source.quantity * dest.quantity * amount;
if (newBalance <= -5000) { if (newBalance <= -5000) {
@ -327,19 +334,22 @@ $("#btn_transfer").click(function() {
} else if ($("#type_credit").is(':checked') || $("#type_debit").is(':checked')) { } else if ($("#type_credit").is(':checked') || $("#type_debit").is(':checked')) {
let special_note = $("#credit_type").val(); let special_note = $("#credit_type").val();
let user_note; let user_note;
let alias;
let given_reason = reason; let given_reason = reason;
let source_id, dest_id; let source_id, dest_id;
if ($("#type_credit").is(':checked')) { if ($("#type_credit").is(':checked')) {
user_note = dests_notes_display[0].note.id; user_note = dests_notes_display[0].note;
alias = dests_notes_display[0].name;
source_id = special_note; source_id = special_note;
dest_id = user_note; dest_id = user_note.id;
reason = "Crédit " + $("#credit_type option:selected").text().toLowerCase(); reason = "Crédit " + $("#credit_type option:selected").text().toLowerCase();
if (given_reason.length > 0) if (given_reason.length > 0)
reason += " (" + given_reason + ")"; reason += " (" + given_reason + ")";
} }
else { else {
user_note = sources_notes_display[0].note.id; user_note = sources_notes_display[0].note;
source_id = user_note; alias = sources_notes_display[0].name;
source_id = user_note.id;
dest_id = special_note; dest_id = special_note;
reason = "Retrait " + $("#credit_type option:selected").text().toLowerCase(); reason = "Retrait " + $("#credit_type option:selected").text().toLowerCase();
if (given_reason.length > 0) if (given_reason.length > 0)
@ -355,14 +365,16 @@ $("#btn_transfer").click(function() {
"polymorphic_ctype": SPECIAL_TRANSFER_POLYMORPHIC_CTYPE, "polymorphic_ctype": SPECIAL_TRANSFER_POLYMORPHIC_CTYPE,
"resourcetype": "SpecialTransaction", "resourcetype": "SpecialTransaction",
"source": source_id, "source": source_id,
"source_alias": sources_notes_display.length ? sources_notes_display[0].name : null, "source_alias": sources_notes_display.length ? alias : null,
"destination": dest_id, "destination": dest_id,
"destination_alias": dests_notes_display.length ? dests_notes_display[0].name : null, "destination_alias": dests_notes_display.length ? alias : null,
"last_name": $("#last_name").val(), "last_name": $("#last_name").val(),
"first_name": $("#first_name").val(), "first_name": $("#first_name").val(),
"bank": $("#bank").val() "bank": $("#bank").val()
}).done(function () { }).done(function () {
addMsg("Le crédit/retrait a bien été effectué !", "success", 10000); addMsg("Le crédit/retrait a bien été effectué !", "success", 10000);
if (user_note.membership && user_note.membership.date_end > new Date().toISOString())
addMsg("Attention : la note " + alias + " n'est plus adhérente.", "danger", 10000);
reset(); reset();
}).fail(function (err) { }).fail(function (err) {
let errObj = JSON.parse(err.responseText); let errObj = JSON.parse(err.responseText);