import logging from collections import OrderedDict from django.conf import settings from django.contrib import messages from django.contrib.auth.mixins import LoginRequiredMixin from django.db.models import Count from django.http import ( Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect, ) from django.shortcuts import get_object_or_404 from django.urls import reverse, reverse_lazy from django.utils import timezone from django.utils.decorators import method_decorator from django.views.decorators.csrf import csrf_exempt from django.views.generic import DetailView, FormView, ListView, View from django.views.generic.base import RedirectView from django.views.generic.detail import SingleObjectMixin from shop.models import ( CreditNote, EpayCallback, EpayPayment, Order, OrderProductRelation, Product, ProductCategory, ) from vendor.coinify.coinify_callback import CoinifyCallback from .coinify import ( create_coinify_invoice, process_coinify_invoice_json, save_coinify_callback, ) from .epay import calculate_epay_hash, validate_epay_callback from .forms import OrderProductRelationForm, OrderProductRelationFormSet logger = logging.getLogger("bornhack.%s" % __name__) # Mixins class EnsureCreditNoteHasPDFMixin(SingleObjectMixin): model = CreditNote def dispatch(self, request, *args, **kwargs): if not self.get_object().pdf: messages.error(request, "This creditnote has no PDF yet!") return HttpResponseRedirect(reverse_lazy("shop:creditnote_list")) return super(EnsureCreditNoteHasPDFMixin, self).dispatch( request, *args, **kwargs ) class EnsureUserOwnsCreditNoteMixin(SingleObjectMixin): model = CreditNote def dispatch(self, request, *args, **kwargs): # If the user does not own this creditnote OR is not staff if not request.user.is_staff: if self.get_object().user != request.user: raise Http404("CreditNote not found") return super(EnsureUserOwnsCreditNoteMixin, self).dispatch( request, *args, **kwargs ) class EnsureUserOwnsOrderMixin(SingleObjectMixin): model = Order def dispatch(self, request, *args, **kwargs): # If the user does not own this order OR is not staff if not request.user.is_staff: if self.get_object().user != request.user: raise Http404("Order not found") return super(EnsureUserOwnsOrderMixin, self).dispatch(request, *args, **kwargs) class EnsureUnpaidOrderMixin(SingleObjectMixin): model = Order def dispatch(self, request, *args, **kwargs): if self.get_object().paid: messages.error(request, "This order is already paid for!") return HttpResponseRedirect( reverse_lazy("shop:order_detail", kwargs={"pk": self.get_object().pk}) ) return super(EnsureUnpaidOrderMixin, self).dispatch(request, *args, **kwargs) class EnsurePaidOrderMixin(SingleObjectMixin): model = Order def dispatch(self, request, *args, **kwargs): if not self.get_object().paid: messages.error(request, "This order is not paid for!") return HttpResponseRedirect( reverse_lazy("shop:order_detail", kwargs={"pk": self.get_object().pk}) ) return super(EnsurePaidOrderMixin, self).dispatch(request, *args, **kwargs) class EnsureClosedOrderMixin(SingleObjectMixin): model = Order def dispatch(self, request, *args, **kwargs): if self.get_object().open is not None: messages.error(request, "This order is still open!") return HttpResponseRedirect( reverse_lazy("shop:order_detail", kwargs={"pk": self.get_object().pk}) ) return super(EnsureClosedOrderMixin, self).dispatch(request, *args, **kwargs) class EnsureOrderHasProductsMixin(SingleObjectMixin): model = Order def dispatch(self, request, *args, **kwargs): if not self.get_object().products.count() > 0: messages.error(request, "This order has no products!") return HttpResponseRedirect(reverse_lazy("shop:index")) return super(EnsureOrderHasProductsMixin, self).dispatch( request, *args, **kwargs ) class EnsureOrderIsNotCancelledMixin(SingleObjectMixin): model = Order def dispatch(self, request, *args, **kwargs): if self.get_object().cancelled: messages.error( request, "Order #{} is cancelled!".format(self.get_object().id) ) return HttpResponseRedirect(reverse_lazy("shop:index")) return super(EnsureOrderIsNotCancelledMixin, self).dispatch( request, *args, **kwargs ) # Shop views class ShopIndexView(ListView): model = Product template_name = "shop_index.html" context_object_name = "products" def get_queryset(self): queryset = super(ShopIndexView, self).get_queryset() return queryset.available().order_by( "category__weight", "category__name", "price", "name" ) def get_context_data(self, **kwargs): context = super(ShopIndexView, self).get_context_data(**kwargs) if "category" in self.request.GET: category = self.request.GET.get("category") # is this a public category try: categoryobj = ProductCategory.objects.get(slug=category) if not categoryobj.public: raise Http404("Category not found") except ProductCategory.DoesNotExist: raise Http404("Category not found") # filter products by the chosen category context["products"] = context["products"].filter(category__slug=category) context["current_category"] = categoryobj context["categories"] = ProductCategory.objects.annotate( num_products=Count("products") ).filter( num_products__gt=0, public=True, products__available_in__contains=timezone.now(), ) return context class ProductDetailView(FormView, DetailView): model = Product template_name = "product_detail.html" form_class = OrderProductRelationForm context_object_name = "product" def get_form_kwargs(self): kwargs = super().get_form_kwargs() if hasattr(self, "opr"): kwargs["instance"] = self.opr return kwargs def get_initial(self): if hasattr(self, "opr"): return {"quantity": self.opr.quantity} return None def get_context_data(self, **kwargs): # If the OrderProductRelation already exists it has a primary key in the database if self.request.user.is_authenticated and self.opr.pk: kwargs["already_in_order"] = True return super().get_context_data(**kwargs) def dispatch(self, request, *args, **kwargs): self.object = self.get_object() if not self.object.category.public: # this product is not publicly available raise Http404("Product not found") if self.request.user.is_authenticated: try: self.opr = OrderProductRelation.objects.get( order__user=self.request.user, order__open__isnull=False, product=self.object, ) except OrderProductRelation.DoesNotExist: self.opr = OrderProductRelation(product=self.get_object(), quantity=1) return super(ProductDetailView, self).dispatch(request, *args, **kwargs) def form_valid(self, form): opr = form.save(commit=False) if not opr.pk: opr.order, _ = Order.objects.get_or_create( user=self.request.user, open=True, cancelled=False ) opr.save() messages.info( self.request, "{}x {} has been added to your order.".format( opr.quantity, opr.product.name ), ) # done return super(ProductDetailView, self).form_valid(form) def get_success_url(self): return reverse("shop:index") class OrderListView(LoginRequiredMixin, ListView): model = Order template_name = "order_list.html" context_object_name = "orders" def get_queryset(self): queryset = super(OrderListView, self).get_queryset() return queryset.filter(user=self.request.user).not_cancelled() class OrderDetailView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureOrderHasProductsMixin, EnsureOrderIsNotCancelledMixin, DetailView, ): model = Order template_name = "order_detail.html" context_object_name = "order" def get_context_data(self, **kwargs): if "order_product_formset" not in kwargs: kwargs["order_product_formset"] = OrderProductRelationFormSet( queryset=OrderProductRelation.objects.filter(order=self.get_object()) ) return super().get_context_data(**kwargs) def get(self, request, *args, **kwargs): order = self.get_object() if order.open is None and not order.paid: return HttpResponseRedirect( reverse("shop:order_review_and_pay", kwargs={"pk": order.pk}) ) return super().get(request, *args, **kwargs) def post(self, request, *args, **kwargs): self.object = self.get_object() order = self.object # First check if the user is removing a product from the order. product_remove = request.POST.get("remove_product") if product_remove: order.orderproductrelation_set.filter(pk=product_remove).delete() if not order.products.count() > 0: order.mark_as_cancelled() messages.info(request, "Order cancelled!") return HttpResponseRedirect(reverse_lazy("shop:index")) # Then see if the user is cancelling the order. elif "cancel_order" in request.POST: order.mark_as_cancelled() messages.info(request, "Order cancelled!") return HttpResponseRedirect(reverse_lazy("shop:index")) # The user is not removing products or cancelling the order, # so from now on we do stuff that require us to check stock. # We use a formset for this to be able to display exactly # which product is not in stock if that is the case. else: formset = OrderProductRelationFormSet( request.POST, queryset=OrderProductRelation.objects.filter(order=order) ) # If the formset is not valid it means that we cannot fulfill the order, so return and inform the user. if not formset.is_valid(): messages.error( request, "Some of the products you are ordering are out of stock. Review the order and try again.", ) return self.render_to_response( self.get_context_data(order_product_formset=formset) ) # No stock issues, proceed to check if the user is updating or proceeding to review and pay the order. if "update_order" or "review_and_pay" in request.POST: # We have already made sure the formset is valid, so just save it to update quantities. formset.save() order.customer_comment = request.POST.get("customer_comment") or "" order.invoice_address = request.POST.get("invoice_address") or "" order.save() if "review_and_pay" in request.POST: return HttpResponseRedirect( reverse("shop:order_review_and_pay", kwargs={"pk": order.pk}) ) return super(OrderDetailView, self).get(request, *args, **kwargs) class OrderReviewAndPayView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureOrderHasProductsMixin, EnsureUnpaidOrderMixin, EnsureOrderIsNotCancelledMixin, DetailView, ): template_name = "order_review.html" context_object_name = "order" def post(self, request, *args, **kwargs): self.object = self.get_object() order = self.object payment_method = request.POST.get("payment_method") if payment_method in order.PAYMENT_METHODS: if not request.POST.get("accept_terms"): messages.error( request, "You need to accept the general terms and conditions before you can continue!", ) return self.render_to_response(self.get_context_data()) # Set payment method and mark the order as closed order.payment_method = payment_method order.open = None order.save() reverses = { Order.CREDIT_CARD: reverse_lazy( "shop:epay_form", kwargs={"pk": order.id} ), Order.BLOCKCHAIN: reverse_lazy( "shop:coinify_pay", kwargs={"pk": order.id} ), Order.BANK_TRANSFER: reverse_lazy( "shop:bank_transfer", kwargs={"pk": order.id} ), Order.IN_PERSON: reverse_lazy( "shop:in_person", kwargs={"pk": order.id} ), } return HttpResponseRedirect(reverses[payment_method]) class DownloadInvoiceView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, SingleObjectMixin, View ): model = Order def get(self, request, *args, **kwargs): """ The file we return is determined by the orders paid status. If the order is unpaid we return a proforma invoice PDF If the order is paid we return a normal Invoice PDF """ if self.get_object().paid: pdfobj = self.get_object().invoice else: pdfobj = self.get_object() if not pdfobj.pdf: messages.error(request, "No PDF has been generated yet!") return HttpResponseRedirect( reverse_lazy("shop:order_detail", kwargs={"pk": self.get_object().pk}) ) response = HttpResponse(content_type="application/pdf") response["Content-Disposition"] = 'attachment; filename="%s"' % pdfobj.filename response.write(pdfobj.pdf.read()) return response class CreditNoteListView(LoginRequiredMixin, ListView): model = CreditNote template_name = "creditnote_list.html" context_object_name = "creditnotes" def get_queryset(self): queryset = super().get_queryset() return queryset.filter(user=self.request.user) class DownloadCreditNoteView( LoginRequiredMixin, EnsureUserOwnsCreditNoteMixin, EnsureCreditNoteHasPDFMixin, SingleObjectMixin, View, ): model = CreditNote def get(self, request, *args, **kwargs): response = HttpResponse(content_type="application/pdf") response["Content-Disposition"] = ( 'attachment; filename="%s"' % self.get_object().filename ) response.write(self.get_object().pdf.read()) return response class OrderMarkAsPaidView(LoginRequiredMixin, SingleObjectMixin, View): model = Order def get(self, request, *args, **kwargs): if not request.user.is_staff: messages.error(request, "You do not have permissions to do that.") return HttpResponseRedirect(reverse_lazy("shop:index")) else: messages.success(request, "The order has been marked as paid.") order = self.get_object() order.mark_as_paid() return HttpResponseRedirect(request.META.get("HTTP_REFERER")) # Epay views class EpayFormView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureUnpaidOrderMixin, EnsureClosedOrderMixin, EnsureOrderHasProductsMixin, DetailView, ): model = Order template_name = "epay_form.html" def get_context_data(self, **kwargs): order = self.get_object() context = super(EpayFormView, self).get_context_data(**kwargs) context["merchant_number"] = settings.EPAY_MERCHANT_NUMBER context["description"] = order.description context["amount"] = order.total * 100 context["order_id"] = order.pk context["accept_url"] = order.get_epay_accept_url(self.request) context["cancel_url"] = order.get_cancel_url(self.request) context["callback_url"] = order.get_epay_callback_url(self.request) context["epay_hash"] = calculate_epay_hash(order, self.request) return context class EpayCallbackView(SingleObjectMixin, View): model = Order def get(self, request, *args, **kwargs): callback = EpayCallback.objects.create(payload=request.GET) if "orderid" in request.GET: query = OrderedDict( [tuple(x.split("=")) for x in request.META["QUERY_STRING"].split("&")] ) order = get_object_or_404(Order, pk=query.get("orderid")) if order.pk != self.get_object().pk: logger.error("bad epay callback, orders do not match!") return HttpResponse(status=400) if validate_epay_callback(query): callback.md5valid = True callback.save() else: logger.error("bad epay callback!") return HttpResponse(status=400) if order.paid: # this order is already paid, perhaps we are seeing a double callback? return HttpResponse("OK") # epay callback is valid - has the order been paid in full? if int(query["amount"]) == order.total * 100: # create an EpayPayment object linking the callback to the order EpayPayment.objects.create( order=order, callback=callback, txnid=query.get("txnid") ) # and mark order as paid (this will create tickets) order.mark_as_paid(request) else: logger.error("valid epay callback with wrong amount detected") else: return HttpResponse(status=400) return HttpResponse("OK") class EpayThanksView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureClosedOrderMixin, DetailView ): model = Order template_name = "epay_thanks.html" def dispatch(self, request, *args, **kwargs): if request.GET: # epay redirects the user back to our accepturl with a long # and ugly querystring, redirect user to the clean url return HttpResponseRedirect( reverse("shop:epay_thanks", kwargs={"pk": self.get_object().pk}) ) return super(EpayThanksView, self).dispatch(request, *args, **kwargs) # Bank Transfer view class BankTransferView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureUnpaidOrderMixin, EnsureOrderHasProductsMixin, DetailView, ): model = Order template_name = "bank_transfer.html" def get_context_data(self, **kwargs): context = super(BankTransferView, self).get_context_data(**kwargs) context["iban"] = settings.BANKACCOUNT_IBAN context["swiftbic"] = settings.BANKACCOUNT_SWIFTBIC context["orderid"] = self.get_object().pk context["regno"] = settings.BANKACCOUNT_REG context["accountno"] = settings.BANKACCOUNT_ACCOUNT context["total"] = self.get_object().total return context # In-person (izettle) payment view class PayInPersonView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureUnpaidOrderMixin, EnsureOrderHasProductsMixin, DetailView, ): model = Order template_name = "in_person.html" # Coinify views class CoinifyRedirectView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureUnpaidOrderMixin, EnsureClosedOrderMixin, EnsureOrderHasProductsMixin, SingleObjectMixin, RedirectView, ): model = Order def dispatch(self, request, *args, **kwargs): order = self.get_object() # create a new coinify invoice if needed if not order.coinifyapiinvoice: coinifyinvoice = create_coinify_invoice(order, request) if not coinifyinvoice: messages.error( request, "There was a problem with the payment provider. Please try again later", ) return HttpResponseRedirect( reverse_lazy( "shop:order_detail", kwargs={"pk": self.get_object().pk} ) ) return super(CoinifyRedirectView, self).dispatch(request, *args, **kwargs) def get_redirect_url(self, *args, **kwargs): return self.get_object().coinifyapiinvoice.invoicejson["payment_url"] class CoinifyCallbackView(SingleObjectMixin, View): model = Order @method_decorator(csrf_exempt) def dispatch(self, *args, **kwargs): return super(CoinifyCallbackView, self).dispatch(*args, **kwargs) def post(self, request, *args, **kwargs): # save callback and parse json payload callbackobject = save_coinify_callback(request, self.get_object()) # do we have a json body? if not callbackobject.payload: # no, return an error logger.error( "unable to parse JSON body in callback for order %s" % callbackobject.order.id ) return HttpResponseBadRequest("unable to parse json") # initiate SDK sdk = CoinifyCallback(settings.COINIFY_IPN_SECRET.encode("utf-8")) # attemt to validate the callbackc if sdk.validate_callback( request.body, request.META["HTTP_X_COINIFY_CALLBACK_SIGNATURE"] ): # mark callback as valid in db callbackobject.valid = True callbackobject.save() else: logger.error("invalid coinify callback detected") return HttpResponseBadRequest("something is fucky") if ( callbackobject.payload["event"] == "invoice_state_change" or callbackobject.payload["event"] == "invoice_manual_resend" ): process_coinify_invoice_json( invoicejson=callbackobject.payload["data"], order=self.get_object(), request=request, ) return HttpResponse("OK") else: logger.error( "unsupported callback event %s" % callbackobject.payload["event"] ) return HttpResponseBadRequest("unsupported event") class CoinifyThanksView( LoginRequiredMixin, EnsureUserOwnsOrderMixin, EnsureClosedOrderMixin, DetailView ): model = Order template_name = "coinify_thanks.html"