[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-bank] 03/04: querying non existent / non owned accou
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-bank] 03/04: querying non existent / non owned accounts |
|
Date: |
Sun, 07 May 2017 13:08:44 +0200 |
This is an automated email from the git hooks/post-receive script.
marcello pushed a commit to branch master
in repository bank.
commit 139edb59372083a89622cc9d9212e99715e2973b
Author: Marcello Stanisci <address@hidden>
AuthorDate: Sun May 7 12:32:40 2017 +0200
querying non existent / non owned accounts
---
talerbank/app/tests.py | 16 ++++++++++++++++
talerbank/app/views.py | 17 ++++++++++++++---
2 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/talerbank/app/tests.py b/talerbank/app/tests.py
index 929ab70..738d469 100644
--- a/talerbank/app/tests.py
+++ b/talerbank/app/tests.py
@@ -99,6 +99,7 @@ class HistoryTestCase(TestCase):
ub.save()
user_passive = User.objects.create_user(username='UserP',
password="PasswordP")
ub_p = BankAccount(user=user_passive, currency=settings.TALER_CURRENCY)
+ ub_p.account_no = 2
ub_p.save()
wire_transfer(dict(value=1, fraction=0,
currency=settings.TALER_CURRENCY), ub, ub_p, subject="a")
wire_transfer(dict(value=1, fraction=0,
currency=settings.TALER_CURRENCY), ub, ub_p, subject="b")
@@ -142,6 +143,21 @@ class HistoryTestCase(TestCase):
**{"HTTP_X_TALER_BANK_USERNAME": "User",
"HTTP_X_TALER_BANK_PASSWORD": "Password"})
self.assertEqual(204, response.status_code)
+ # Get debit records
+ response = c.get(reverse("history", urlconf=urls), {"auth": "basic",
"delta": "+1", "direction": "debit"},
+ **{"HTTP_X_TALER_BANK_USERNAME": "User",
"HTTP_X_TALER_BANK_PASSWORD": "Password"})
+ self.assertNotEqual(204, response.status_code)
+
+ # Query about non-owned account
+ response = c.get(reverse("history", urlconf=urls), {"auth": "basic",
"delta": "+1", "account_number": 2},
+ **{"HTTP_X_TALER_BANK_USERNAME": "User",
"HTTP_X_TALER_BANK_PASSWORD": "Password"})
+ self.assertEqual(403, response.status_code)
+
+ # Query about non-existent account
+ response = c.get(reverse("history", urlconf=urls), {"auth": "basic",
"delta": "+1", "account_number": 9},
+ **{"HTTP_X_TALER_BANK_USERNAME": "User",
"HTTP_X_TALER_BANK_PASSWORD": "Password"})
+ self.assertEqual(404, response.status_code)
+
# This tests whether a bank account goes red and then
# goes green again
diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index fcdf7f0..98cf6d3 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -363,9 +363,22 @@ def history(request):
direction = request.GET.get("direction")
# target account
- target_account = account_number = request.GET.get("account_number")
+ target_account = request.GET.get("account_number")
if not target_account:
target_account = user_account.bankaccount
+ else:
+ try:
+ target_account = BankAccount.objects.get(account_no=target_account)
+ except BankAccount.DoesNotExist:
+ return JsonResponse(dict(error="Queried account does not exist"),
status=404)
+
+ # Temporarily only allowing querying for the user's owned unique
+ # account. Future releases will give the way for user A to query
+ # about multiple accounts of his own, or others accounts from other
+ # users.
+
+ if target_account != user_account.bankaccount:
+ return JsonResponse(dict(error="Querying unowned accounts not
allowed"), status=403)
query_string = Q(debit_account=target_account) |
Q(credit_account=target_account)
history = []
@@ -375,8 +388,6 @@ def history(request):
if "debit" == direction:
query_string = Q(debit_account=target_account)
- # FIXME *DO* return 204 No content when history is empty.
-
qs = BankTransaction.objects.filter(query_string,
sign_filter).order_by("%sid" % sign)[:delta]
if 0 == qs.count():
return HttpResponse(status=204)
--
To stop receiving notification emails like this one, please contact
address@hidden