[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-bank] 01/02: check that the user who is rejecting a
From: |
gnunet |
Subject: |
[GNUnet-SVN] [taler-bank] 01/02: check that the user who is rejecting a transaction was the credit party in that transaction. |
Date: |
Fri, 08 Dec 2017 17:48:02 +0100 |
This is an automated email from the git hooks/post-receive script.
marcello pushed a commit to branch master
in repository bank.
commit 82cc63876601ad935495cce41346dc4e1e55fa3b
Author: Marcello Stanisci <address@hidden>
AuthorDate: Fri Dec 8 17:46:32 2017 +0100
check that the user who is rejecting a transaction
was the credit party in that transaction.
---
talerbank/app/views.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index 47aced9..14c3e6e 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -451,6 +451,7 @@ def reject(request, user_account):
try:
validate_reject_request(data)
except (FVE, RFVE) as exc:
+ LOGGER.error("invalid %s" % exc.fieldname)
return JsonResponse({"error": "invalid '%s'" % exc.fieldname},
status=400)
try:
trans = BankTransaction.objects.get(id=data["row_id"])
@@ -460,7 +461,10 @@ def reject(request, user_account):
# WARNING: here the bank must make sure 'row_id' points to
# a transaction where the requesting user owns the credit account.
# Not even a bug number exists on this.
-
+ if trans.credit_account.account_no != user_account.bankaccount.account_no:
+ LOGGER.error("you can only reject a transaction where you _got_ money")
+ return JsonResponse({"error": "you can only reject a transaction where
you _got_ money"},
+ status=401) # Unauthorized
try:
wire_transfer(trans.amount, user_account.bankaccount,
trans.debit_account, "/reject: reimbursement",
--
To stop receiving notification emails like this one, please contact
address@hidden