def before_update_object(self, order, data, view_kwargs):
"""
before update object method of order details
1. admin can update all the fields.
2. event organizer
a. own orders: he/she can update selected fields.
b. other's orders: can only update the status that too when the order mode is free. No refund system.
3. order user can update selected fields of his/her order when the status is pending.
The selected fields mentioned above can be taken from get_updatable_fields method from order model.
:param order:
:param data:
:param view_kwargs:
:return:
"""
if (not has_access('is_coorganizer', event_id=order.event_id)) and (not current_user.id == order.user_id):
raise ForbiddenException({'pointer': ''}, "Access Forbidden")
if has_access('is_coorganizer_but_not_admin', event_id=order.event_id):
if current_user.id == order.user_id:
# Order created from the tickets tab.
for element in data:
if data[element] and data[element]\
!= getattr(order, element, None) and element not in get_updatable_fields():
raise ForbiddenException({'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
else:
# Order created from the public pages.
for element in data:
if data[element] and data[element] != getattr(order, element, None):
if element != 'status':
raise ForbiddenException({'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
elif element == 'status' and order.amount and order.status == 'completed':
# Since we don't have a refund system.
raise ForbiddenException({'pointer': 'data/status'},
"You cannot update the status of a completed paid order")
elif element == 'status' and order.status == 'cancelled':
# Since the tickets have been unlocked and we can't revert it.
raise ForbiddenException({'pointer': 'data/status'},
"You cannot update the status of a cancelled order")
elif current_user.id == order.user_id:
if order.status != 'pending':
raise ForbiddenException({'pointer': ''},
"You cannot update a non-pending order")
else:
for element in data:
if data[element] and data[element]\
!= getattr(order, element, None) and element not in get_updatable_fields():
raise ForbiddenException({'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
if has_access('is_organizer', event_id=order.event_id) and 'order_notes' in data:
if order.order_notes and data['order_notes'] not in order.order_notes.split(","):
data['order_notes'] = '{},{}'.format(order.order_notes, data['order_notes'])
def check_event_user_ticket_holders(order, data, element):
if element in ['event', 'user'] and data[element]\
!= str(getattr(order, element, None).id):
raise ForbiddenException({'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
elif element == 'ticket_holders':
ticket_holders = []
for ticket_holder in order.ticket_holders:
ticket_holders.append(str(ticket_holder.id))
if data[element] != ticket_holders and element not in get_updatable_fields():
raise ForbiddenException({'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
def check_event_user_ticket_holders(order, data, element):
if element in ['event', 'user'] and data[element] != str(
getattr(order, element, None).id
):
raise ForbiddenError(
{'pointer': f'data/{element}'},
f"You cannot update {element} of an order",
)
if element == 'ticket_holders':
ticket_holders = []
for ticket_holder in order.ticket_holders:
ticket_holders.append(str(ticket_holder.id))
if data[element] != ticket_holders and element not in get_updatable_fields():
raise ForbiddenError(
{'pointer': f'data/{element}'},
f"You cannot update {element} of an order",
)
def before_update_object(self, order, data, view_kwargs):
"""
before update object method of order details
1. admin can update all the fields.
2. event organizer
a. own orders: he/she can update selected fields.
b. other's orders: can only update the status that too when the order mode is free. No refund system.
3. order user can update selected fields of his/her order when the status is initializing.
The selected fields mentioned above can be taken from get_updatable_fields method from order model.
:param order:
:param data:
:param view_kwargs:
:return:
"""
if data.get('status') in ['pending', 'placed', 'completed']:
attendees = order.ticket_holders
for attendee in attendees:
validate_custom_form_constraints_request(
'attendee', AttendeeSchema, attendee, {})
if data.get('amount') and (data.get('is_billing_enabled')
or order.event.is_billing_info_mandatory):
check_billing_info(data)
if (not has_access('is_coorganizer', event_id=order.event_id)) and (
not current_user.id == order.user_id):
raise ForbiddenError({'pointer': ''}, "Access Forbidden")
relationships = ['event', 'ticket_holders', 'user']
if has_access('is_coorganizer_but_not_admin', event_id=order.event_id):
if current_user.id == order.user_id:
# Order created from the tickets tab.
for element in data:
if data[element]:
if (element not in relationships and
data[element] != getattr(order, element, None)
and element not in get_updatable_fields()):
raise ForbiddenError(
{'pointer': f'data/{element}'},
f"You cannot update {element} of an order",
)
check_event_user_ticket_holders(order, data, element)
else:
# Order created from the public pages.
for element in data:
if data[element]:
if element not in relationships and data[
element] != getattr(order, element, None):
if element != 'status' and element != 'deleted_at':
raise ForbiddenError(
{'pointer': f'data/{element}'},
f"You cannot update {element} of an order",
)
if (element == 'status' and order.amount
and order.status == 'completed'):
# Since we don't have a refund system.
raise ForbiddenError(
{'pointer': 'data/status'},
"You cannot update the status of a completed paid order",
)
if element == 'status' and order.status == 'cancelled':
# Since the tickets have been unlocked and we can't revert it.
raise ForbiddenError(
{'pointer': 'data/status'},
"You cannot update the status of a cancelled order",
)
else:
check_event_user_ticket_holders(
order, data, element)
elif current_user.id == order.user_id:
if order.status != 'initializing' and order.status != 'pending':
raise ForbiddenError(
{'pointer': ''},
"You cannot update a non-initialized or non-pending order",
)
for element in data:
if data[element]:
if (element == 'is_billing_enabled'
and order.status == 'completed' and
data[element] != getattr(order, element, None)):
raise ForbiddenError(
{'pointer': f'data/{element}'},
"You cannot update {} of a completed order".format(
element),
)
if (element not in relationships
and data[element] != getattr(order, element, None)
and element not in get_updatable_fields()):
raise ForbiddenError(
{'pointer': f'data/{element}'},
f"You cannot update {element} of an order",
)
check_event_user_ticket_holders(order, data, element)
if has_access('is_organizer',
event_id=order.event_id) and 'order_notes' in data:
if order.order_notes and data[
'order_notes'] not in order.order_notes.split(","):
data['order_notes'] = '{},{}'.format(order.order_notes,
data['order_notes'])
if data.get('payment_mode') == 'free' and data.get('amount') > 0:
raise UnprocessableEntityError(
{'pointer': '/data/attributes/payment-mode'},
"payment-mode cannot be free for order with amount > 0",
)
if (data.get('status') == 'completed'
and data.get('payment_mode') == 'stripe'
and not is_payment_valid(order, 'stripe')):
raise UnprocessableEntityError(
{'pointer': '/data/attributes/payment-mode'},
"insufficient data to verify stripe payment",
)
if (data.get('status') == 'completed'
and data.get('payment_mode') == 'paypal'
and not is_payment_valid(order, 'paypal')):
raise UnprocessableEntityError(
{'pointer': '/data/attributes/payment-mode'},
"insufficient data to verify paypal payment",
)
def before_update_object(self, order, data, view_kwargs):
"""
before update object method of order details
1. admin can update all the fields.
2. event organizer
a. own orders: he/she can update selected fields.
b. other's orders: can only update the status that too when the order mode is free. No refund system.
3. order user can update selected fields of his/her order when the status is pending.
The selected fields mentioned above can be taken from get_updatable_fields method from order model.
:param order:
:param data:
:param view_kwargs:
:return:
"""
if (not has_access('is_coorganizer', event_id=order.event_id)) and (
not current_user.id == order.user_id):
raise ForbiddenException({'pointer': ''}, "Access Forbidden")
if has_access('is_coorganizer_but_not_admin', event_id=order.event_id):
if current_user.id == order.user_id:
# Order created from the tickets tab.
for element in data:
if data[element] and data[element]\
!= getattr(order, element, None) and element not in get_updatable_fields():
raise ForbiddenException(
{'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
else:
# Order created from the public pages.
for element in data:
if data[element] and data[element] != getattr(
order, element, None):
if element != 'status':
raise ForbiddenException(
{'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(
element))
elif element == 'status' and order.amount and order.status == 'completed':
# Since we don't have a refund system.
raise ForbiddenException({
'pointer': 'data/status'
}, "You cannot update the status of a completed paid order"
)
elif element == 'status' and order.status == 'cancelled':
# Since the tickets have been unlocked and we can't revert it.
raise ForbiddenException({
'pointer': 'data/status'
}, "You cannot update the status of a cancelled order"
)
elif current_user.id == order.user_id:
if order.status != 'pending':
raise ForbiddenException(
{'pointer': ''}, "You cannot update a non-pending order")
else:
for element in data:
if element == 'is_billing_enabled' and order.status == 'completed' and data[element]\
and data[element] != getattr(order, element, None):
raise ForbiddenException(
{'pointer': 'data/{}'.format(element)},
"You cannot update {} of a completed order".format(
element))
elif data[element] and data[element]\
!= getattr(order, element, None) and element not in get_updatable_fields():
raise ForbiddenException(
{'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
if has_access('is_organizer',
event_id=order.event_id) and 'order_notes' in data:
if order.order_notes and data[
'order_notes'] not in order.order_notes.split(","):
data['order_notes'] = '{},{}'.format(order.order_notes,
data['order_notes'])
