def get(self, payroll_user=None, week=None): # check logged in if not self.user or not self.user.username or not self.user.is_authenticated: return redirect('/logout?byebye=yes') # if a payroll user is specified, the logged in user must be an approver (or it must be thier own account) if payroll_user: payroll_user = crypto.encrypt(payroll_user) if not self.user.is_approver: if not payroll_user == self.user.username: return redirect('/logout?byebye=yes') # sanitize input for week parameter if week: if not utils.sanitize_number_input(week): return redirect('/logout?byebye=yes') start_date = utils.get_last_monday(datetime.date.today()) end_date = start_date + datetime.timedelta(days=6) if week: start_date = utils.get_last_monday(datetime.date.fromtimestamp(float(week))) end_date = start_date + datetime.timedelta(days=6) records = TimeRecord.get_current_week(payroll_user or self.user.username, start_date) else: records = TimeRecord.get_current_week(payroll_user or self.user.username) if not records: return abort(404) next_date = start_date + datetime.timedelta(days=7) prev_date = start_date - datetime.timedelta(days=7) context = { 'user': self.user, 'table_rows': records, 'payroll_username' : payroll_user or self.user.username, 'start_date': start_date, 'end_date': end_date, 'prev_timestamp': time.mktime(prev_date.timetuple()), 'next_timestamp': time.mktime(next_date.timetuple()), } return render_template('payroll.html', **context)
def post(self): # check logged in if not self.user or not self.user.username or not self.user.is_authenticated: return "error: permission denied" # check user is an admin if not self.user.is_admin: return "error: permission denied" form = forms.ModifyUser(request.form) if form.validate(): user = User.get_user_by_username(crypto.encrypt(form.username.data)) if user: if not utils.sanitize_number_input(str(form.wage.data)): return "error: invalid wage" user.wage = crypto.encrypt(str(form.wage.data)) if not user.ssn: if not utils.validate_ssn(form.ssn.data): return "error: invalid SSN" user.ssn = crypto.encrypt(form.ssn.data) user.save() return "success" return "error: user does not exist" return "error: invalid input"
def post(self, payroll_user=None, week=None): # check logged in if not self.user or not self.user.username or not self.user.is_authenticated: return redirect('/logout?byebye=yes') # make sure someone isn't trying to set someone else's payroll info... if payroll_user: if not payroll_user == crypto.decrypt(self.user.username): print "INVALID USER REQUEST: ", payroll_user return redirect('/logout?byebye=yes') # sanitize input for week parameter if week: if not utils.sanitize_number_input(week): print "INVALID WEEK PARAMETER: ", week return redirect('/logout?byebye=yes') for input, value in request.form.iteritems(): if value: punch_type, input_id = input.split('-') # check punch type if not punch_type == 'clockin': if not punch_type == 'clockout': print "INVALID PUNCH TYPE: ", punch_type return redirect('/logout?byebye=yes') # check record id input if not utils.sanitize_mongo_hash(input_id): print "INVALID RECORD ID: ", input_id return redirect('/logout?byebye=yes') current_record = TimeRecord.objects(id=input_id).get() # only update the record if the current user actually owns it # users can only update their own records... if current_record.username == self.user.username: # only let the user update the record if it hasn't been approved (no after the fact modifications) if not current_record.approved: # check time value if not utils.sanitize_time_input(value): print "INVALID TIME ENTRY: ", value return redirect('/logout?byebye=yes') try: time = datetime.datetime.strptime(value, '%I:%M %p') day = current_record.date timestamp = datetime.datetime.combine(day, time.time()) except ValueError, e: pass if punch_type == 'clockin': current_record.clock_in = timestamp else: current_record.clock_out = timestamp if current_record.clock_in and current_record.clock_out: current_record.set_hours() current_record.save()