From b9634d77a42eeac0b49da5e19402f69318561ed8 Mon Sep 17 00:00:00 2001 From: Jean-Romain Garnier Date: Sun, 13 Feb 2022 16:52:43 +0100 Subject: [PATCH] fix: Missing @can_view ACL for cotisation endpoints --- cotisations/payment_methods/cheque/views.py | 6 ++++-- cotisations/payment_methods/comnpay/views.py | 10 +++++++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/cotisations/payment_methods/cheque/views.py b/cotisations/payment_methods/cheque/views.py index c2df1165..41fd5116 100644 --- a/cotisations/payment_methods/cheque/views.py +++ b/cotisations/payment_methods/cheque/views.py @@ -32,14 +32,16 @@ from django.utils.translation import ugettext as _ from cotisations.models import Facture as Invoice from cotisations.utils import find_payment_method +from re2o.acl import can_view + from .forms import InvoiceForm from .models import ChequePayment @login_required -def cheque(request, invoice_pk): +@can_view(Invoice) +def cheque(request, invoice, **_kwargs): """This view validate an invoice with the data from a cheque.""" - invoice = get_object_or_404(Invoice, pk=invoice_pk) payment_method = find_payment_method(invoice.paiement) if invoice.valid or not isinstance(payment_method, ChequePayment): messages.error(request, _("You can't pay this invoice with a cheque.")) diff --git a/cotisations/payment_methods/comnpay/views.py b/cotisations/payment_methods/comnpay/views.py index e7055b6b..17ca6786 100644 --- a/cotisations/payment_methods/comnpay/views.py +++ b/cotisations/payment_methods/comnpay/views.py @@ -34,7 +34,10 @@ from django.utils.datastructures import MultiValueDictKeyError from django.utils.translation import ugettext as _ from django.views.decorators.csrf import csrf_exempt +from re2o.acl import can_view + from cotisations.models import Facture +from cotisations.utils import find_payment_method from .comnpay import Transaction from .models import ComnpayPayment @@ -42,13 +45,14 @@ from .models import ComnpayPayment @csrf_exempt @login_required -def accept_payment(request, factureid): +@can_view(Facture) +def accept_payment(request, invoice, **_kwargs): """ The view where the user is redirected when a comnpay payment has been accepted. """ - invoice = get_object_or_404(Facture, id=factureid) - if invoice.valid: + payment_method = find_payment_method(invoice.paiement) + if invoice.valid and isinstance(payment_method, ComnpayPayment): messages.success( request, _("The payment of %(amount)s € was accepted.")