Skip to content

Commit

Permalink
fix: Correct invoice permissions and disable post, patch, delete (#7312)
Browse files Browse the repository at this point in the history
  • Loading branch information
@iamareebjamal
iamareebjamal authored Oct 2, 2020
1 parent 2aa9fe2 commit a0a7269
Show file tree
Hide file tree
Showing 4 changed files with 247 additions and 127 deletions.
37 changes: 14 additions & 23 deletions app/api/event_invoices.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,14 @@
from flask_jwt_extended import current_user
from flask_rest_jsonapi import ResourceDetail, ResourceList, ResourceRelationship

from app.api.bootstrap import api
from app.api.helpers.db import safe_query, safe_query_kwargs, save_to_db
from app.api.helpers.db import safe_query, safe_query_by_id, safe_query_kwargs, save_to_db
from app.api.helpers.errors import BadRequestError, ForbiddenError
from app.api.helpers.payment import PayPalPaymentsManager
from app.api.helpers.permissions import is_admin, jwt_required
from app.api.helpers.query import event_query
from app.api.helpers.utilities import require_relationship
from app.api.orders import order_misc_routes
from app.api.schema.event_invoices import EventInvoiceSchema
from app.models import db
from app.models.discount_code import DiscountCode
from app.models.event_invoice import EventInvoice
from app.models.user import User
from app.settings import get_settings
Expand All @@ -25,43 +22,29 @@ class EventInvoiceList(ResourceList):
List and Create Event Invoices
"""

def before_post(self, args, kwargs, data):
"""
before post method to check for required relationship and proper permission
:param args:
:param kwargs:
:param data:
:return:
"""
require_relationship(['event'], data)

def query(self, view_kwargs):
"""
query method for event invoice list
:param view_kwargs:
:return:
"""
user = current_user
if not user.is_staff:
user_id = view_kwargs.get('user_id')
if user_id != user.id and not user.is_staff:
raise ForbiddenError({'source': ''}, 'Admin access is required')

query_ = self.session.query(EventInvoice)
query_ = event_query(query_, view_kwargs)
if view_kwargs.get('user_id'):
if user_id:
user = safe_query_kwargs(User, view_kwargs, 'user_id')
query_ = query_.join(User).filter(User.id == user.id)
if view_kwargs.get('discount_code_id'):
discount_code = safe_query_kwargs(
DiscountCode, view_kwargs, 'discount_code_id',
)
query_ = query_.join(DiscountCode).filter(DiscountCode.id == discount_code.id)
return query_

view_kwargs = True
methods = [
'GET',
]
decorators = (api.has_permission('is_organizer',),)
decorators = (jwt_required,)
schema = EventInvoiceSchema
data_layer = {
'session': db.session,
Expand All @@ -86,8 +69,16 @@ def before_get_object(self, view_kwargs):
EventInvoice, view_kwargs, 'event_invoice_identifier', 'identifier'
)
view_kwargs['id'] = event_invoice.id
elif view_kwargs.get('id'):
event_invoice = safe_query_by_id(EventInvoice, view_kwargs['id'])

decorators = (is_admin,)
if not current_user.is_staff and event_invoice.user_id != current_user.id:
raise ForbiddenError({'source': ''}, 'Admin access is required')

methods = [
'GET',
]
decorators = (jwt_required,)
schema = EventInvoiceSchema
data_layer = {
'session': db.session,
Expand Down
104 changes: 0 additions & 104 deletions docs/api/blueprint/invoices.apib
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,110 +155,6 @@ Get a single event invoice.
}


### Update Event Invoices [PATCH]
Update a single event invoice by `id`.

+ `id` (integer) - ID of the record to update **(required)**

+ Request (application/vnd.api+json)

+ Headers

Authorization: JWT <Auth Key>

+ Body

{
"data": {
"attributes": {
"paypal-token": "1234",
"exp-year": "2100",
"transaction-id": "ae43awer",
"brand": "brand",
"payment-mode": "mode",
"stripe-token": "fssfda432",
"last4": "5445",
"exp-month": "10",
"amount": 500.0,
"paid-via": "stripe"
},
"type": "event-invoice",
"id": "1"
}
}

+ Response 200 (application/vnd.api+json)

{
"data": {
"relationships": {
"event": {
"links": {
"self": "/v1/event-invoices/5/relationships/event",
"related": "/v1/event-invoices/5/event"
}
},
"user": {
"links": {
"self": "/v1/event-invoices/5/relationships/user",
"related": "/v1/event-invoices/5/user"
}
}
},
"attributes": {
"status": "pending",
"identifier": "b88639c9-5a41-45ea-884d-977876baa08f",
"paypal-token": "1234",
"invoice-pdf-url": null,
"transaction-id": "ae43awer",
"brand": "brand",
"created-at": "2017-06-28T08:10:14.968538+00:00",
"payment-mode": "mode",
"stripe-token": "fssfda432",
"last4": "5445",
"exp-month": 10,
"amount": 500,
"completed-at": null,
"exp-year": 2100,
"paid-via": "stripe"
},
"type": "event-invoice",
"id": "5",
"links": {
"self": "/v1/event-invoices/5"
}
},
"jsonapi": {
"version": "1.0"
},
"links": {
"self": "/v1/event-invoices/5"
}
}

### Delete Event Invoices [DELETE]
Delete a single event invoice.

+ Request

+ Headers

Accept: application/vnd.api+json

Authorization: JWT <Auth Key>

+ Response 200 (application/vnd.api+json)

{
"meta": {
"message": "Object successfully deleted"
},
"jsonapi": {
"version": "1.0"
}
}


## Event Invoice List of an Event [/v1/events/{event_identifier}/event-invoices{?page%5bsize%5d,page%5bnumber%5d,sort,filter}]
+ Parameters
+ event_identifier: 1 (string) - identifier or event id of the event. (b8324ae2 is an example of identifier)
Expand Down
Empty file added tests/all/integration/api/event_invoices/__init__.py
View file
Empty file.
Loading

0 comments on commit a0a7269

Please sign in to comment.