def create(self, request, **kwargs): expense_parts_to_be_saved = [] if 'json' not in request.POST: return HttpResponseBadRequest() expense_part_ids = json.loads(request.POST['json'])['parts'] for exp_part_id in expense_part_ids: try: part = ExpensePart.objects.get(id=exp_part_id) except ObjectDoesNotExist as e: return Response( {'error:': "Expense_part with id " + str(e) + " does not exist"}, status=status.HTTP_400_BAD_REQUEST ) if has_permission("attest-*", request) or \ has_permission("attest-" + part.budget_line.cost_centre.committee.name, request): if part.attested_by is None: part.attested_by = Profile.objects.get(user=request.user) part.attest_date = date.today() expense_parts_to_be_saved.append(part) else: return Response( {'error': "You don't have permission to attest part with id " + str(part.id)}, status=status.HTTP_403_FORBIDDEN ) for part in expense_parts_to_be_saved: part.save() return Response(status=status.HTTP_200_OK)
def may_account(exp, request): if has_permission("accounting-*", request): return True for part in exp.expensepart_set.all(): if has_permission("accounting-" + part.budget_line.cost_centre.committee.name, request): return True return False
def may_attest_expense(exp, request): if has_permission("attest-*", request): return True for part in ExpensePart.objects.filter(expense=exp): if has_permission("attest-" + part.budget_line.cost_centre.committee.name, request): return True return False
def may_view_expense(request, expense): if expense.owner.user.username == request.user.username or dauth.has_permission( 'pay', request): return True for committee in expense.committees(): if dauth.has_permission('attest-' + committee.name.lower(), request) or \ dauth.has_permission('accounting-' + committee.name.lower(), request): return True return False
def may_account(exp, request): if has_permission("accounting-*", request): return True for part in exp.expensepart_set.all(): if has_permission( "accounting-" + part.budget_line.cost_centre.committee.name, request): return True return False
def may_view_expense(exp, request): # Helper method if request.user == exp.owner.user: return True if has_permission("attest-*", request): return True for part in exp.expensepart_set.all(): if has_permission("attest-" + part.budget_line.cost_centre.committee.name, request): return True return False
def create(self, request, **kwargs): if has_permission("pay", request.user): try: json_args = json.loads(request.POST['json']) total = 0 for exp_id in json_args['expense_ids']: total += Expense.objects.get(id=exp_id).compute_total() payment = Payment(date=date.today(), payer=Profile.objects.get(user=request.user), receiver=Expense.objects.get( id=json_args['expense_ids'][0]).owner, account_id=json_args['account_id'], sum=total) payment.save() for exp_id in json_args['expense_ids']: exp = Expense.objects.get(id=exp_id) exp.reimbursement = payment exp.save() except KeyError: return Response(status=status.HTTP_400_BAD_REQUEST) else: return Response(status=status.HTTP_403_FORBIDDEN)
def payments(self, request, username, **kwargs): if request.user.username is username or has_permission("admin", request): return Response({ 'payments': [payment.to_dict() for payment in Payment.objects.filter(receiver__user__username=username)] }) else: return Response(status=status.HTTP_403_FORBIDDEN)
def create(self, request, **kwargs): if has_permission("pay", request.user): try: json_args = json.loads(request.POST['json']) total = 0 for exp_id in json_args['expense_ids']: total += Expense.objects.get(id=exp_id).compute_total() payment = Payment( date=date.today(), payer=Profile.objects.get(user=request.user), receiver=Expense.objects.get(id=json_args['expense_ids'][0]).owner, account_id=json_args['account_id'], sum=total ) payment.save() for exp_id in json_args['expense_ids']: exp = Expense.objects.get(id=exp_id) exp.reimbursement = payment exp.save() except KeyError: return Response(status=status.HTTP_400_BAD_REQUEST) else: return Response(status=status.HTTP_403_FORBIDDEN)
def list(self, request, **kwargs): if has_permission("admin", request): return Response({ 'payments': [payment.to_dict() for payment in Payment.objects.all()] }) else: return Response(status=status.HTTP_403_FORBIDDEN)
def destroy(self, request, pk, **kwargs): try: exp = Expense.objects.get(id=int(pk)) except ValueError as e: return Response(status=status.HTTP_400_BAD_REQUEST) except ObjectDoesNotExist as e: return Response(status=status.HTTP_404_NOT_FOUND) if request.user is exp.owner.user or has_permission("admin", request): exp.delete() return Response(status=status.HTTP_200_OK) else: return Response(status=status.HTTP_403_FORBIDDEN)
def pay_overview(request): if not dauth.has_permission('pay', request): return HttpResponseForbidden("Du har inte rättigheterna för att se den här sidan") context = { 'payable_expenses': models.Expense.objects.filter(reimbursement=None) .exclude(expensepart__attested_by=None).order_by('owner__user__username'), 'accounts': models.BankAccount.objects.all().order_by('name')} if request.GET: context['payment'] = models.Payment.objects.get(id=int(request.GET['payment'])) return render(request, 'expenses/action_pay.html', context)
def add_budget(request, year): if not dauth.has_permission('admin', request): return HttpResponseForbidden() if request.method == 'POST': try: year = models.Year.objects.get(name=year) except ObjectDoesNotExist: raise Http404("Året finns inte") budget = json.loads(request.body.decode('utf-8')) for committee in budget: try: committee_object = models.Committee.objects.get(year=year, name=committee) except ObjectDoesNotExist: committee_object = models.Committee(year=year, name=committee) committee_object.save() for cost_centre in budget[committee]: try: costcentre_object = models.CostCentre.objects.get(committee=committee_object, name=cost_centre) except ObjectDoesNotExist: costcentre_object = models.CostCentre(committee=committee_object, name=cost_centre) costcentre_object.save() for budget_line in budget[committee][cost_centre]: try: budgetline_object = models.BudgetLine.objects.get(cost_centre=costcentre_object, name=budget_line) except ObjectDoesNotExist: budgetline_object = models.BudgetLine(cost_centre=costcentre_object, name=budget_line) if 'amount' in budget[committee][cost_centre][budget_line]: budgetline_object.amount = budget[committee][cost_centre][budget_line]['amount'] if 'spent' in budget[committee][cost_centre][budget_line]: budgetline_object.spent = budget[committee][cost_centre][budget_line]['spent'] budgetline_object.save() for booking_account in budget[committee][cost_centre][budget_line]['booking']: try: bookingaccount_object = models.BookingAccount.objects.get(number=int(booking_account)) except ObjectDoesNotExist: bookingaccount_object = models.BookingAccount(number=int(booking_account), name="") bookingaccount_object.save() bookingaccount_object.budgetlines.add(budgetline_object) return JsonResponse({"response": "Success"}) else: raise Http404()
def retrieve(self, request, username, **kwargs): """ Returns a JSON representation of the user with the specified username :param request: HTTP request :param username: Username to retrieve """ # Retrieve user try: person = Profile.objects.get(user__username=username) except ValueError: return Response(status=status.HTTP_400_BAD_REQUEST) except ObjectDoesNotExist: return Response(status=status.HTTP_404_NOT_FOUND) # Check permissions if person.user.username == request.user.username or has_permission("pay", request): return Response({'user': person.to_dict()}) else: return Response(status=status.HTTP_403_FORBIDDEN)
def destroy(self, request, pk, **kwargs): """ Delete the comment with the provided ID :param request: HTTP request :param pk: Comment ID to delete """ # Retrieve comment try: c = Comment.objects.get(id=int(pk)) except ValueError: return Response(status=status.HTTP_400_BAD_REQUEST) except ObjectDoesNotExist: return Response(status=status.HTTP_404_NOT_FOUND) # Check if user is eligible to destroy it if c.author is request.user or has_permission("admin", request): c.delete() return Response(status=status.HTTP_200_OK) # If not, 403 return Response(status=status.HTTP_403_FORBIDDEN)
def confirm_expense(request, pk): if request.method == 'POST': try: expense = Expense.objects.get(pk=pk) if not dauth.has_permission('confirm', request): return HttpResponseForbidden("Du har inte rättigheterna för att se den här sidan") expense.confirmed_by = request.user expense.confirmed_at = date.today() expense.save() comment = Comment( expense=expense, author=request.user.profile, content='Jag bekräftar att kvittot finns i pärmen.' ) comment.save() return HttpResponseRedirect(reverse('admin-confirm')) except ObjectDoesNotExist: raise Http404("Utlägget finns inte") else: raise Http404()
def may_view_user(request, user_to_view): return (request.user == user_to_view) or \ has_permission('pay', request) or \ (len(request.user.profile.may_account()) > 0)