diff --git a/backend/api/invoices/delete.py b/backend/api/invoices/delete.py index be9507a8..ffc1d765 100644 --- a/backend/api/invoices/delete.py +++ b/backend/api/invoices/delete.py @@ -1,10 +1,9 @@ from django.contrib import messages -from django.http import HttpRequest, JsonResponse, QueryDict, HttpResponse +from django.http import HttpRequest, JsonResponse, QueryDict, HttpResponse, HttpResponseRedirect from django.shortcuts import render -from django.urls import resolve +from django.urls import resolve, reverse from django.urls.exceptions import Resolver404 from django.views.decorators.http import require_http_methods - from backend.models import Invoice, QuotaLimit diff --git a/backend/api/receipts/delete.py b/backend/api/receipts/delete.py index 33a9a397..c966a12d 100644 --- a/backend/api/receipts/delete.py +++ b/backend/api/receipts/delete.py @@ -1,31 +1,37 @@ from django.contrib import messages from django.contrib.auth.decorators import login_required -from django.http import HttpRequest, JsonResponse -from django.shortcuts import render +from django.http import HttpRequest, JsonResponse, HttpResponse, HttpResponseRedirect, QueryDict +from django.shortcuts import render, redirect +from django.urls import resolve, Resolver404, reverse from django.views.decorators.http import require_http_methods - from backend.models import Receipt @require_http_methods(["DELETE"]) @login_required def receipt_delete(request: HttpRequest, id: int): - receipt = Receipt.objects.filter(id=id).first() + try: + receipt = Receipt.objects.get(id=id) + except Receipt.DoesNotExist: + return JsonResponse({"message": "Receipt not found"}, status=404) + if not receipt: return JsonResponse(status=404, data={"message": "Receipt not found"}) - if request.user.logged_in_as_team and receipt.organization != request.user.logged_in_as_team: - return JsonResponse(status=403, data={"message": "Forbidden"}) - elif receipt.user != request.user: - return JsonResponse(status=403, data={"message": "Forbidden"}) - - # QuotaLimit.delete_quota_usage("receipts-count", request.user, receipt.id, receipt.date_uploaded) # Don't want to delete receipts - # from records because it does cost us PER receipt. So makes sense not to allow Upload, delete, upload .. etc + if not receipt.has_access(request.user): + return JsonResponse({"message": "You do not have permission to delete this invoice"}, status=404) receipt.delete() - messages.success(request, "Receipt deleted") - return render( - request, - "pages/receipts/_search_results.html", - {"receipts": Receipt.objects.filter(user=request.user).order_by("-date")}, - ) + messages.success(request, f"Receipt deleted with the name of {receipt.name}") + if request.user.logged_in_as_team: + return render( + request, + "pages/receipts/_search_results.html", + {"receipts": Receipt.objects.filter(organization=request.user.logged_in_as_team).order_by("-date")}, + ) + else: + return render( + request, + "pages/receipts/_search_results.html", + {"receipts": Receipt.objects.filter(user=request.user).order_by("-date")}, + ) diff --git a/backend/api/receipts/new.py b/backend/api/receipts/new.py index 6bc41208..a5a65fe8 100644 --- a/backend/api/receipts/new.py +++ b/backend/api/receipts/new.py @@ -34,22 +34,25 @@ def receipt_create(request: HttpRequest): if not date: date = None - receipt = Receipt( - name=name, - image=file, - date=date, - merchant_store=merchant_store, - purchase_category=purchase_category, - total_price=total_price, - ) + receipt_data = { + "name": name, + "image": file, + "date": date, + "merchant_store": merchant_store, + "purchase_category": purchase_category, + "total_price": total_price, + } if request.user.logged_in_as_team: - receipt.organization = request.user.logged_in_as_team + receipt_data["organization"] = request.user.logged_in_as_team + receipts = Receipt.objects.filter(organization=request.user.logged_in_as_team).order_by("-date") else: - receipt.user = request.user + receipt_data["user"] = request.user + receipts = Receipt.objects.filter(user=request.user).order_by("-date") - receipt.save() + receipt = Receipt(**receipt_data) QuotaUsage.create_str(request.user, "receipts-count", receipt.id) + receipt.save() # r = requests.post( # "https://ocr.asprise.com/api/receipt", # data={ @@ -74,5 +77,5 @@ def receipt_create(request: HttpRequest): return render( request, "pages/receipts/_search_results.html", - {"receipts": Receipt.objects.filter(user=request.user).order_by("-date")}, + {"receipts": receipts}, ) diff --git a/backend/models.py b/backend/models.py index 4c3afe98..3f060e8a 100644 --- a/backend/models.py +++ b/backend/models.py @@ -211,6 +211,18 @@ class Receipt(models.Model): class Meta: constraints = [USER_OR_ORGANIZATION_CONSTRAINT()] + def __str__(self): + return f"{self.name} - {self.date} ({self.total_price})" + + def has_access(self, user: User) -> bool: + if not user.is_authenticated: + return False + + if user.logged_in_as_team: + return self.organization == user.logged_in_as_team + else: + return self.user == user + class ReceiptDownloadToken(models.Model): user = models.ForeignKey(User, on_delete=models.CASCADE)