Prevent superusers when they make a transaction with a non-member user

2025-06-20 17:41:55 +02:00 · 2020-08-05 20:40:30 +02:00
parent 2851d7764c
commit 018ca84e2d
5 changed files with 45 additions and 9 deletions
--- a/apps/note/api/serializers.py
+++ b/apps/note/api/serializers.py
@ -1,8 +1,12 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
+from django.utils import timezone
 from rest_framework import serializers
+from rest_framework.serializers import ListSerializer
 from rest_polymorphic.serializers import PolymorphicSerializer
+
+from member.api.serializers import MembershipSerializer
+from member.models import Membership
 from note_kfet.middlewares import get_current_authenticated_user
 from permission.backends import PermissionBackend
 from rest_framework.utils import model_meta
@ -109,6 +113,8 @@ class ConsumerSerializer(serializers.ModelSerializer):

    email_confirmed = serializers.SerializerMethodField()

+    membership = serializers.SerializerMethodField()
+
    class Meta:
        model = Alias
        fields = '__all__'
@ -127,6 +133,17 @@ class ConsumerSerializer(serializers.ModelSerializer):
            return obj.note.user.profile.email_confirmed
        return True

+    def get_membership(self, obj):
+        if isinstance(obj.note, NoteUser):
+            memberships = Membership.objects.filter(
+                PermissionBackend.filter_queryset(get_current_authenticated_user(), Membership, "view")).filter(
+                user=obj.note.user,
+                club=2,  # Kfet
+            ).order_by("-date_start")
+            if memberships.exists():
+                return MembershipSerializer().to_representation(memberships.first())
+        return None
+

 class TemplateCategorySerializer(serializers.ModelSerializer):
    """
--- a/apps/note/models/transactions.py
+++ b/apps/note/models/transactions.py
@ -202,7 +202,8 @@ class Transaction(PolymorphicModel):
        When saving, also transfer money between two notes
        """
        with transaction.atomic():
-            self.refresh_from_db()
+            if self.pk:
+                self.refresh_from_db()
            self.source.refresh_from_db()
            self.destination.refresh_from_db()
            self.validate(False)