def before_update_object(self, order, data, view_kwargs): """ before update object method of order details 1. admin can update all the fields. 2. event organizer a. own orders: he/she can update selected fields. b. other's orders: can only update the status that too when the order mode is free. No refund system. 3. order user can update selected fields of his/her order when the status is pending. The selected fields mentioned above can be taken from get_updatable_fields method from order model. :param order: :param data: :param view_kwargs: :return: """ if (not has_access('is_coorganizer', event_id=order.event_id)) and (not current_user.id == order.user_id): raise ForbiddenException({'pointer': ''}, "Access Forbidden") if has_access('is_coorganizer_but_not_admin', event_id=order.event_id): if current_user.id == order.user_id: # Order created from the tickets tab. for element in data: if data[element] and data[element]\ != getattr(order, element, None) and element not in get_updatable_fields(): raise ForbiddenException({'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element)) else: # Order created from the public pages. for element in data: if data[element] and data[element] != getattr(order, element, None): if element != 'status': raise ForbiddenException({'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element)) elif element == 'status' and order.amount and order.status == 'completed': # Since we don't have a refund system. raise ForbiddenException({'pointer': 'data/status'}, "You cannot update the status of a completed paid order") elif element == 'status' and order.status == 'cancelled': # Since the tickets have been unlocked and we can't revert it. raise ForbiddenException({'pointer': 'data/status'}, "You cannot update the status of a cancelled order") elif current_user.id == order.user_id: if order.status != 'pending': raise ForbiddenException({'pointer': ''}, "You cannot update a non-pending order") else: for element in data: if data[element] and data[element]\ != getattr(order, element, None) and element not in get_updatable_fields(): raise ForbiddenException({'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element)) if has_access('is_organizer', event_id=order.event_id) and 'order_notes' in data: if order.order_notes and data['order_notes'] not in order.order_notes.split(","): data['order_notes'] = '{},{}'.format(order.order_notes, data['order_notes'])
def check_event_user_ticket_holders(order, data, element): if element in ['event', 'user'] and data[element]\ != str(getattr(order, element, None).id): raise ForbiddenException({'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element)) elif element == 'ticket_holders': ticket_holders = [] for ticket_holder in order.ticket_holders: ticket_holders.append(str(ticket_holder.id)) if data[element] != ticket_holders and element not in get_updatable_fields(): raise ForbiddenException({'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element))
def check_event_user_ticket_holders(order, data, element): if element in ['event', 'user'] and data[element] != str( getattr(order, element, None).id ): raise ForbiddenError( {'pointer': f'data/{element}'}, f"You cannot update {element} of an order", ) if element == 'ticket_holders': ticket_holders = [] for ticket_holder in order.ticket_holders: ticket_holders.append(str(ticket_holder.id)) if data[element] != ticket_holders and element not in get_updatable_fields(): raise ForbiddenError( {'pointer': f'data/{element}'}, f"You cannot update {element} of an order", )
def before_update_object(self, order, data, view_kwargs): """ before update object method of order details 1. admin can update all the fields. 2. event organizer a. own orders: he/she can update selected fields. b. other's orders: can only update the status that too when the order mode is free. No refund system. 3. order user can update selected fields of his/her order when the status is initializing. The selected fields mentioned above can be taken from get_updatable_fields method from order model. :param order: :param data: :param view_kwargs: :return: """ if data.get('status') in ['pending', 'placed', 'completed']: attendees = order.ticket_holders for attendee in attendees: validate_custom_form_constraints_request( 'attendee', AttendeeSchema, attendee, {}) if data.get('amount') and (data.get('is_billing_enabled') or order.event.is_billing_info_mandatory): check_billing_info(data) if (not has_access('is_coorganizer', event_id=order.event_id)) and ( not current_user.id == order.user_id): raise ForbiddenError({'pointer': ''}, "Access Forbidden") relationships = ['event', 'ticket_holders', 'user'] if has_access('is_coorganizer_but_not_admin', event_id=order.event_id): if current_user.id == order.user_id: # Order created from the tickets tab. for element in data: if data[element]: if (element not in relationships and data[element] != getattr(order, element, None) and element not in get_updatable_fields()): raise ForbiddenError( {'pointer': f'data/{element}'}, f"You cannot update {element} of an order", ) check_event_user_ticket_holders(order, data, element) else: # Order created from the public pages. for element in data: if data[element]: if element not in relationships and data[ element] != getattr(order, element, None): if element != 'status' and element != 'deleted_at': raise ForbiddenError( {'pointer': f'data/{element}'}, f"You cannot update {element} of an order", ) if (element == 'status' and order.amount and order.status == 'completed'): # Since we don't have a refund system. raise ForbiddenError( {'pointer': 'data/status'}, "You cannot update the status of a completed paid order", ) if element == 'status' and order.status == 'cancelled': # Since the tickets have been unlocked and we can't revert it. raise ForbiddenError( {'pointer': 'data/status'}, "You cannot update the status of a cancelled order", ) else: check_event_user_ticket_holders( order, data, element) elif current_user.id == order.user_id: if order.status != 'initializing' and order.status != 'pending': raise ForbiddenError( {'pointer': ''}, "You cannot update a non-initialized or non-pending order", ) for element in data: if data[element]: if (element == 'is_billing_enabled' and order.status == 'completed' and data[element] != getattr(order, element, None)): raise ForbiddenError( {'pointer': f'data/{element}'}, "You cannot update {} of a completed order".format( element), ) if (element not in relationships and data[element] != getattr(order, element, None) and element not in get_updatable_fields()): raise ForbiddenError( {'pointer': f'data/{element}'}, f"You cannot update {element} of an order", ) check_event_user_ticket_holders(order, data, element) if has_access('is_organizer', event_id=order.event_id) and 'order_notes' in data: if order.order_notes and data[ 'order_notes'] not in order.order_notes.split(","): data['order_notes'] = '{},{}'.format(order.order_notes, data['order_notes']) if data.get('payment_mode') == 'free' and data.get('amount') > 0: raise UnprocessableEntityError( {'pointer': '/data/attributes/payment-mode'}, "payment-mode cannot be free for order with amount > 0", ) if (data.get('status') == 'completed' and data.get('payment_mode') == 'stripe' and not is_payment_valid(order, 'stripe')): raise UnprocessableEntityError( {'pointer': '/data/attributes/payment-mode'}, "insufficient data to verify stripe payment", ) if (data.get('status') == 'completed' and data.get('payment_mode') == 'paypal' and not is_payment_valid(order, 'paypal')): raise UnprocessableEntityError( {'pointer': '/data/attributes/payment-mode'}, "insufficient data to verify paypal payment", )
def before_update_object(self, order, data, view_kwargs): """ before update object method of order details 1. admin can update all the fields. 2. event organizer a. own orders: he/she can update selected fields. b. other's orders: can only update the status that too when the order mode is free. No refund system. 3. order user can update selected fields of his/her order when the status is pending. The selected fields mentioned above can be taken from get_updatable_fields method from order model. :param order: :param data: :param view_kwargs: :return: """ if (not has_access('is_coorganizer', event_id=order.event_id)) and ( not current_user.id == order.user_id): raise ForbiddenException({'pointer': ''}, "Access Forbidden") if has_access('is_coorganizer_but_not_admin', event_id=order.event_id): if current_user.id == order.user_id: # Order created from the tickets tab. for element in data: if data[element] and data[element]\ != getattr(order, element, None) and element not in get_updatable_fields(): raise ForbiddenException( {'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element)) else: # Order created from the public pages. for element in data: if data[element] and data[element] != getattr( order, element, None): if element != 'status': raise ForbiddenException( {'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format( element)) elif element == 'status' and order.amount and order.status == 'completed': # Since we don't have a refund system. raise ForbiddenException({ 'pointer': 'data/status' }, "You cannot update the status of a completed paid order" ) elif element == 'status' and order.status == 'cancelled': # Since the tickets have been unlocked and we can't revert it. raise ForbiddenException({ 'pointer': 'data/status' }, "You cannot update the status of a cancelled order" ) elif current_user.id == order.user_id: if order.status != 'pending': raise ForbiddenException( {'pointer': ''}, "You cannot update a non-pending order") else: for element in data: if element == 'is_billing_enabled' and order.status == 'completed' and data[element]\ and data[element] != getattr(order, element, None): raise ForbiddenException( {'pointer': 'data/{}'.format(element)}, "You cannot update {} of a completed order".format( element)) elif data[element] and data[element]\ != getattr(order, element, None) and element not in get_updatable_fields(): raise ForbiddenException( {'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element)) if has_access('is_organizer', event_id=order.event_id) and 'order_notes' in data: if order.order_notes and data[ 'order_notes'] not in order.order_notes.split(","): data['order_notes'] = '{},{}'.format(order.order_notes, data['order_notes'])