def add_discount_page(request):
if request.method == 'GET':
shop_name = request.GET.get('shop_name')
login = request.COOKIES.get('login_hash')
guest = request.COOKIES.get('guest_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse(error_login_owner)
else:
return HttpResponse(error_login_owner)
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.discount_permission is not 1: # no permission
return HttpResponse('no permission to add discount')
else:
return HttpResponse('fail') # not manager not owner
every_html = {
'top_bar': Topbar_Navbar.get_top_bar(login),
'nav_bar': Topbar_Navbar.get_nav_bar(login, guest)
}
return render(request,
'shop_add_discount.html',
context={
'every_html': every_html,
'shop_name': shop_name
})
def remove_item_from_shop(request):
if request.method == 'POST':
login = request.COOKIES.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('fail')
item_id = request.POST.get('item_id')
item = ItemsLogic.get_item(item_id)
if item is False:
return HttpResponse('fail')
if not UsersLogic.is_owner_of_shop(username, item.shop_name):
if UsersLogic.is_manager_of_shop(username, item.shop_name):
manager = UsersLogic.get_manager(username, item.shop_name)
if manager.permission_remove_item is not 1: # no permission
return HttpResponse('no permission to remove item')
else:
return HttpResponse('fail') # not manager not owner
status = ItemsLogic.remove_item_from_shop(item_id, username)
if status is False:
return HttpResponse('fail')
return HttpResponse('success')
def edit_shop_item(request):
if request.method == 'POST':
login = request.COOKIES.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('fail')
item_id = request.POST.get('item_id')
fields = ['quantity', 'category', 'keywords', 'price', 'url']
new_values = [
request.POST.get('item_quantity'),
request.POST.get('item_category'),
request.POST.get('item_keywords'),
request.POST.get('item_price'),
request.POST.get('item_url')
]
event = "EDIT ITEM"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[0], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[1], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[2], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[3], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[4], event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item(item_id)
if item is False:
return HttpResponse('fail')
if not UsersLogic.is_owner_of_shop(username, item.shop_name):
if UsersLogic.is_manager_of_shop(username, item.shop_name):
manager = UsersLogic.get_manager(username, item.shop_name)
if manager.permission_edit_item is not 1: # no permission
return HttpResponse('no permission to edit item')
else:
return HttpResponse('fail') # not manager not owner
for i in range(0, len(fields)):
status = ItemsLogic.edit_shop_item(username, item_id, fields[i],
new_values[i])
if status is False:
return HttpResponse('fail')
return HttpResponse('success')
def watch_purchase_history(request):
if request.method == 'GET':
shop_name = request.GET.get('shop_name')
login = request.COOKIES.get('login_hash')
guest = request.COOKIES.get('guest_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse(error_login_owner)
else:
return HttpResponse(error_login_owner)
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.permission_get_purchased_history is not 1: # no permission
return HttpResponse(
'no permission to watch purchase history')
else:
return HttpResponse('fail') # not manager not owner
every_html = {
'top_bar': Topbar_Navbar.get_top_bar(login),
'nav_bar': Topbar_Navbar.get_nav_bar(login, guest)
}
shop_items = ShopLogic.get_shop_purchase_history(username, shop_name)
string_items = ""
for item in shop_items:
string_items += loader.render_to_string(
'components/purchase_item_owner.html', {
'purchase_id': item.purchase_id,
'item_id': item.item_id,
'quantity': item.quantity,
'price': item.price
})
return render(request,
'shop_view_purchase_history.html',
context={
'every_html': every_html,
'items': string_items,
'shop_name': shop_name
})
return HttpResponse(not_get_request)
def add_discount(request):
global result
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
percent = int(request.POST.get('percent'))
kind = request.POST.get('kind')
event = "ADD DISCOUNT"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
kind, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
start_date = request.POST.get('start_date')
end_date = request.POST.get('duration')
end_date = end_date.split('-')
end_date = end_date[0] + '-' + end_date[2] + '-' + end_date[1]
start_date = start_date.split('-')
start_date = start_date[0] + '-' + start_date[2] + '-' + start_date[1]
if shop_name is None or ShopLogic.search_shop(shop_name) is False:
return HttpResponse('invalid shop')
login = request.COOKIES.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('user not logged in')
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.discount_permission is not 1: # no permission
return HttpResponse('no permission to add discount')
else:
return HttpResponse('not owner or manager in this shop'
) # not manager not owner
if kind == "visible_item":
item_id = request.POST.get('item_id')
if LoggerLogic.identify_sql_injection(item_id, event):
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item_without_lottery(item_id)
if item is False or item.shop_name != shop_name:
return HttpResponse("item with id=" + item_id +
" doesnt exist in this shop or a ticket")
discount = VisibleDiscount(item_id, shop_name, percent, start_date,
end_date)
result = DiscountLogic.add_visible_discount(discount, username)
elif kind == "invisible_item":
item_id = request.POST.get('item_id')
code = request.POST.get('code')
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_id, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
code, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item_without_lottery(item_id)
if item is False or item.shop_name != shop_name:
return HttpResponse("item with id=" + item_id +
" doesnt exist in this shop or a ticket")
discount = InvisibleDiscount(code, item_id, shop_name, percent,
start_date, end_date)
result = DiscountLogic.add_invisible_discount(discount, username)
elif kind == "visible_category":
category = request.POST.get('category')
if LoggerLogic.identify_sql_injection(category, event):
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
discount = VisibleDiscountCategory(category, shop_name, percent,
start_date, end_date)
result = DiscountLogic.add_visible_discount_category(
discount, username)
elif kind == "invisible_category":
category = request.POST.get('category')
code = request.POST.get('code')
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
category, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
code, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
discount = InvisibleDiscountCategory(code, category, shop_name,
percent, start_date, end_date)
result = DiscountLogic.add_invisible_discount_category(
discount, username)
if result:
return HttpResponse('success')
else:
return HttpResponse(
'discount already exist for this item/category!')
else:
return HttpResponse('FAIL: not post request')
def delete_discount(request):
if request.method == 'GET':
shop_name = request.GET.get('shop_name')
login = request.COOKIES.get('login_hash')
guest = request.COOKIES.get('guest_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse(error_login_owner)
else:
return HttpResponse(error_login_owner)
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.discount_permission is not 1: # no permission
return HttpResponse('no permission to add discount')
else:
return HttpResponse('fail') # not manager not owner
shop_discounts = DiscountLogic.get_all_visible_discounts_items(
shop_name)
string_discounts = ""
for discount in shop_discounts:
string_discounts += loader.render_to_string(
'components/discount.html', {
'shop_name': shop_name,
'item_id': discount.item_id,
'category': '----',
'from_date': discount.from_date,
'to_date': discount.end_date,
'percents': discount.percentage,
'type': 1,
'code': '----'
})
shop_discounts = DiscountLogic.get_all_visible_discounts_categories(
shop_name)
for discount in shop_discounts:
string_discounts += loader.render_to_string(
'components/discount.html', {
'shop_name': shop_name,
'category': discount.category,
'item_id': 0,
'from_date': discount.from_date,
'to_date': discount.end_date,
'percents': discount.percentage,
'type': 2,
'code': '----'
})
shop_discounts = DiscountLogic.get_all_invisible_discounts_items(
shop_name)
for discount in shop_discounts:
string_discounts += loader.render_to_string(
'components/discount.html', {
'shop_name': shop_name,
'item_id': discount.item_id,
'category': '----',
'from_date': discount.from_date,
'to_date': discount.end_date,
'percents': discount.percentage,
'type': 3,
'code': discount.code
})
shop_discounts = DiscountLogic.get_all_invisible_discounts_categories(
shop_name)
for discount in shop_discounts:
string_discounts += loader.render_to_string(
'components/discount.html', {
'shop_name': shop_name,
'item_id': 0,
'category': discount.category,
'from_date': discount.from_date,
'to_date': discount.end_date,
'percents': discount.percentage,
'type': 4,
'code': discount.code
})
every_html = {
'top_bar': Topbar_Navbar.get_top_bar(login),
'nav_bar': Topbar_Navbar.get_nav_bar(login, guest)
}
return render(request,
'shop_delete_discount.html',
context={
'every_html': every_html,
'shop_name': shop_name,
'discounts': string_discounts
})
def get_shop(request):
if request.method == 'GET':
shop_name = request.GET.get('shop_name')
shop = ShopLogic.search_shop(shop_name)
if shop is not False:
username = None
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
guest = request.COOKIES.get('guest_hash')
context = {
'topbar': Topbar_Navbar.get_top_bar(login),
'navbar': Topbar_Navbar.get_nav_bar(login, guest)
}
items = ShopLogic.get_shop_items(shop.name)
products = ""
for item in items:
if item.kind == 'prize':
continue
products += loader.render_to_string(
'components/item.html', {
'name':
item.name,
'price':
"{0:.2f}".format(
item.price * item_discount(item.id, shop_name) *
category_discount(item.category, shop_name)),
'url':
item.url,
'item_id':
item.id
}, None, None)
owner_manager_options = ""
render_edit_remove = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/items',
'id_param': 'edit_remove',
'shop_name': shop_name,
'button_text': 'Edit & Remove Items'
})
render_purchase_history = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/purchase_history',
'id_param': 'purchase_history',
'shop_name': shop_name,
'button_text': 'Purchase History'
})
render_add_item = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/items/add_item',
'id_param': 'add_item',
'shop_name': shop_name,
'button_text': 'Add Item'
})
render_add_discount = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/add_discount',
'id_param': 'add_discount',
'shop_name': shop_name,
'button_text': 'Add Discount'
})
render_delete_discount = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/delete_discount',
'id_param': 'delete_discount',
'shop_name': shop_name,
'button_text': 'Delete Discount'
})
if UsersLogic.is_owner_of_shop(username, shop_name):
owner_manager_options += render_purchase_history + \
render_edit_remove + \
render_add_item + \
render_add_discount + \
render_delete_discount
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.permission_get_purchased_history == 1:
owner_manager_options += render_purchase_history
if manager.permission_edit_item == 1 or manager.permission_remove_item == 1:
owner_manager_options += render_edit_remove
if manager.permission_add_item == 1:
owner_manager_options += render_add_item
if manager.discount_permission == 1:
owner_manager_options += render_add_discount + render_delete_discount
context.update({
'shop_name': shop.name,
'shop_status': shop.status,
'products': products,
'owner_manager_options': owner_manager_options
})
return render(request, 'shop.html', context=context)
else:
login = request.COOKIES.get('login_hash')
guest = request.COOKIES.get('guest')
topbar = Topbar_Navbar.get_top_bar(login)
navbar = Topbar_Navbar.get_nav_bar(login, guest)
context = {'topbar': topbar, 'navbar': navbar}
return render(request, 'ShopNotFound.html', context)
return HttpResponse(not_get_request)
def add_item_to_shop(request):
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
item_name = request.POST.get('item_name')
item_quantity = int(request.POST.get('item_quantity'))
item_category = request.POST.get('item_category')
item_keywords = request.POST.get('item_keywords')
item_price = float(request.POST.get('item_price'))
item_url = request.POST.get('item_url')
item_kind = request.POST.get('item_kind')
if item_name is None or item_name == '':
return HttpResponse('invalid item name')
if item_quantity < 0:
return HttpResponse('invalid quantity')
if item_category is None or item_category == '':
return HttpResponse('invalid category')
if item_keywords is None:
return HttpResponse('invalid keywords')
if item_price <= 0:
return HttpResponse('invalid price')
event = "ADD ITEM"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_category, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_keywords, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_url, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_kind, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
if shop_name is None or ShopLogic.search_shop(shop_name) is False:
return HttpResponse('invalid shop')
if item_url == '':
item_url = None
sale_date = None
sale_hour = None
sale_minutes = None
if item_kind == 'prize':
sale_date = request.POST.get('sale_date')
sale_hour = request.POST.get('sale_hour')
sale_minutes = request.POST.get('sale_minutes')
login = request.COOKIES.get('login_hash')
if login is None:
login = request.POST.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('user not logged in')
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.permission_add_item is not 1: # no permission
return HttpResponse('no permission to add item')
else:
return HttpResponse('not owner or manager in this shop'
) # not manager not owner
status = False
if item_kind == 'regular':
regular_item = Item(None, shop_name, item_name, item_category,
item_keywords, item_price, item_quantity,
item_kind, item_url, 0, 0, 0)
status = ItemsLogic.add_item_to_shop(regular_item, username)
elif item_kind == 'prize':
prize = Item(None, shop_name, item_name, item_category,
item_keywords, item_price, 1, item_kind, item_url, 0,
0, 0)
ticket = Item(None, shop_name, 'Ticket for ' + item_name,
item_category, item_keywords, item_price,
item_quantity, 'ticket', item_url, 0, 0, 0)
status = LotteryLogic.add_lottery_and_items_and_return_id(
prize, ticket, ticket.price,
sale_date + ' ' + sale_hour + ':' + sale_minutes, username)
if status is False:
return HttpResponse('could not add item')
return HttpResponse('success')