Skip to content

Commit

Permalink
Test that the users belong the project before settling
Browse files Browse the repository at this point in the history
  • Loading branch information
almet committed Jan 5, 2025
1 parent 87112ec commit 2647fda
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 7 deletions.
4 changes: 4 additions & 0 deletions ihatemoney/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -447,6 +447,10 @@ def remove_member(self, member_id):
db.session.commit()
return person

def has_member(self, member_id):
person = Person.query.get(member_id, self)
return person is not None

def remove_project(self):
# We can't import at top level without circular dependencies
from ihatemoney.history import purge_history
Expand Down
8 changes: 4 additions & 4 deletions ihatemoney/tests/budget_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -1470,8 +1470,8 @@ def test_access_other_projects(self):
pirate = models.Person.query.filter(models.Person.id == 5).one()
assert pirate.name == "pirate"

# Try to add a new bill in another project
self.client.post(
# Try to add a new bill to another project
resp = self.client.post(
"/raclette/add",
data={
"date": "2017-01-01",
Expand All @@ -1488,7 +1488,7 @@ def test_access_other_projects(self):

# Try to add a new bill in our project that references members of another project.
# First with invalid payed_for IDs.
self.client.post(
resp = self.client.post(
"/tartiflette/add",
data={
"date": "2017-01-01",
Expand Down Expand Up @@ -1630,7 +1630,7 @@ def test_access_other_projects(self):
member = models.Person.query.filter(models.Person.id == 1).one_or_none()
assert member is None

# test new settle endpoint to add bills with wrong payer / payed_for
# test new settle endpoint to add bills with wrong ids
self.client.post("/exit")
self.client.post(
"/authenticate", data={"id": "tartiflette", "password": "tartiflette"}
Expand Down
11 changes: 8 additions & 3 deletions ihatemoney/web.py
Original file line number Diff line number Diff line change
Expand Up @@ -874,13 +874,18 @@ def add_settlement_bill():
)
return redirect(url_for(".settle_bill"))

# TODO: check that sender and receiver ID are valid and part of this project
# Ensure that the sender and receiver ID are valid and part of this project
receiver_id = form.receiver_id.data
sender_id = form.sender_id.data

if not g.project.has_member(sender_id):
return redirect(url_for(".settle_bill"))

settlement = Bill(
amount=form.amount.data,
date=datetime.datetime.today(),
owers=[Person.query.get(form.receiver_id.data)],
payer_id=form.sender_id.data,
owers=[Person.query.get(receiver_id, g.project.id)],
payer_id=sender_id,
project_default_currency=g.project.default_currency,
bill_type=BillType.REIMBURSEMENT,
what=_("Settlement"),
Expand Down

0 comments on commit 2647fda

Please sign in to comment.