make it impossible for users to approve expenses they submitted themselves

2018-08-30 01:35:37 +02:00 · 2018-08-30 01:35:37 +02:00 · 8b3e00d9d4
parent b2fa1dc92c
commit 8b3e00d9d4
3 changed files with 14 additions and 6 deletions
--- a/src/backoffice/views.py
+++ b/src/backoffice/views.py
@ -245,10 +245,10 @@ class ExpenseManageDetailView(CampViewMixin, EconomyTeamPermissionMixin, UpdateV
        expense = form.save()
        if 'approve' in form.data:
            # approve button was pressed
-            expense.approve()
+            expense.approve(self.request)
        elif 'reject' in form.data:
            # reject button was pressed
-            expense.reject()
+            expense.reject(self.request)
        else:
            messages.error(self.request, "Unknown submit action")
        return redirect(reverse('backoffice:expense_manage_list', kwargs={'camp_slug': self.camp.slug}))
--- a/src/economy/admin.py
+++ b/src/economy/admin.py
@ -4,13 +4,13 @@ from .models import Expense, Reimbursement

 def approve_expenses(modeladmin, request, queryset):
    for expense in queryset.all():
-        expense.approve()
+        expense.approve(request)
 approve_expenses.short_description = "Approve Expenses"


 def reject_expenses(modeladmin, request, queryset):
    for expense in queryset.all():
-        expense.reject()
+        expense.reject(request)
 reject_expenses.short_description = "Reject Expenses"


--- a/src/economy/models.py
+++ b/src/economy/models.py
@ -3,6 +3,7 @@ import os
 from django.db import models
 from django.conf import settings
 from django.db import models
+from django.contrib import messages

 from utils.email import add_outgoing_email
 from utils.models import CampRelatedModel, UUIDModel
@ -83,11 +84,15 @@ class Expense(CampRelatedModel, UUIDModel):
        else:
            return "Rejected"

-    def approve(self):
+    def approve(self, request):
        """
        This method marks an expense as approved.
        Approving an expense triggers an email to the economy system, and another email to the user who submitted the expense in the first place.
        """
+        if request.user == self.user:
+            messages.error(request, "You cannot approve your own expenses, aka. the anti-stein-bagger defence")
+            return
+
        self.approved = True
        self.save()

@ -109,7 +114,9 @@ class Expense(CampRelatedModel, UUIDModel):
            to_recipients=[self.user.emailaddress_set.get(primary=True).email],
        )

-    def reject(self):
+        messages.success(request, "Expense %s approved" % self.pk)
+
+    def reject(self, request):
        """
        This method marks an expense as not approved.
        Not approving an expense triggers an email to the user who submitted the expense in the first place.
@ -125,6 +132,7 @@ class Expense(CampRelatedModel, UUIDModel):
            to_recipients=[self.user.emailaddress_set.get(primary=True).email],
        )

+        messages.success(request, "Expense %s rejected" % self.pk)

 class Reimbursement(CampRelatedModel, UUIDModel):
    """