make it impossible for users to approve expenses they submitted themselves

This commit is contained in:
Thomas Steen Rasmussen 2018-08-30 01:35:37 +02:00
parent b2fa1dc92c
commit 8b3e00d9d4
3 changed files with 14 additions and 6 deletions

View file

@ -245,10 +245,10 @@ class ExpenseManageDetailView(CampViewMixin, EconomyTeamPermissionMixin, UpdateV
expense = form.save()
if 'approve' in form.data:
# approve button was pressed
expense.approve()
expense.approve(self.request)
elif 'reject' in form.data:
# reject button was pressed
expense.reject()
expense.reject(self.request)
else:
messages.error(self.request, "Unknown submit action")
return redirect(reverse('backoffice:expense_manage_list', kwargs={'camp_slug': self.camp.slug}))

View file

@ -4,13 +4,13 @@ from .models import Expense, Reimbursement
def approve_expenses(modeladmin, request, queryset):
for expense in queryset.all():
expense.approve()
expense.approve(request)
approve_expenses.short_description = "Approve Expenses"
def reject_expenses(modeladmin, request, queryset):
for expense in queryset.all():
expense.reject()
expense.reject(request)
reject_expenses.short_description = "Reject Expenses"

View file

@ -3,6 +3,7 @@ import os
from django.db import models
from django.conf import settings
from django.db import models
from django.contrib import messages
from utils.email import add_outgoing_email
from utils.models import CampRelatedModel, UUIDModel
@ -83,11 +84,15 @@ class Expense(CampRelatedModel, UUIDModel):
else:
return "Rejected"
def approve(self):
def approve(self, request):
"""
This method marks an expense as approved.
Approving an expense triggers an email to the economy system, and another email to the user who submitted the expense in the first place.
"""
if request.user == self.user:
messages.error(request, "You cannot approve your own expenses, aka. the anti-stein-bagger defence")
return
self.approved = True
self.save()
@ -109,7 +114,9 @@ class Expense(CampRelatedModel, UUIDModel):
to_recipients=[self.user.emailaddress_set.get(primary=True).email],
)
def reject(self):
messages.success(request, "Expense %s approved" % self.pk)
def reject(self, request):
"""
This method marks an expense as not approved.
Not approving an expense triggers an email to the user who submitted the expense in the first place.
@ -125,6 +132,7 @@ class Expense(CampRelatedModel, UUIDModel):
to_recipients=[self.user.emailaddress_set.get(primary=True).email],
)
messages.success(request, "Expense %s rejected" % self.pk)
class Reimbursement(CampRelatedModel, UUIDModel):
"""