Merge branch 'fix_346' into 'dev'

fix: Missing ACL check for some cotisation endpoints

See merge request re2o/re2o!626

cotisations/payment_methods/cheque/views.py

@@ -32,14 +32,16 @@ from django.utils.translation import ugettext as _
 from cotisations.models import Facture as Invoice
 from cotisations.utils import find_payment_method
 
+from re2o.acl import can_view
+
 from .forms import InvoiceForm
 from .models import ChequePayment
 
 
 @login_required
-def cheque(request, invoice_pk):
+@can_view(Invoice)
+def cheque(request, invoice, **_kwargs):
     """This view validate an invoice with the data from a cheque."""
-    invoice = get_object_or_404(Invoice, pk=invoice_pk)
     payment_method = find_payment_method(invoice.paiement)
     if invoice.valid or not isinstance(payment_method, ChequePayment):
         messages.error(request, _("You can't pay this invoice with a cheque."))

cotisations/payment_methods/comnpay/views.py

@@ -34,7 +34,10 @@ from django.utils.datastructures import MultiValueDictKeyError
 from django.utils.translation import ugettext as _
 from django.views.decorators.csrf import csrf_exempt
 
+from re2o.acl import can_view
+
 from cotisations.models import Facture
+from cotisations.utils import find_payment_method
 
 from .comnpay import Transaction
 from .models import ComnpayPayment
@@ -42,13 +45,14 @@ from .models import ComnpayPayment
 
 @csrf_exempt
 @login_required
-def accept_payment(request, factureid):
+@can_view(Facture)
+def accept_payment(request, invoice, **_kwargs):
     """
     The view where the user is redirected when a comnpay payment has been
     accepted.
     """
-    invoice = get_object_or_404(Facture, id=factureid)
-    if invoice.valid:
+    payment_method = find_payment_method(invoice.paiement)
+    if invoice.valid and isinstance(payment_method, ComnpayPayment):
         messages.success(
             request,
             _("The payment of %(amount)s € was accepted.")