def create(self, request, **kwargs):
expense_parts_to_be_saved = []
if 'json' not in request.POST:
return HttpResponseBadRequest()
expense_part_ids = json.loads(request.POST['json'])['parts']
for exp_part_id in expense_part_ids:
try:
part = ExpensePart.objects.get(id=exp_part_id)
except ObjectDoesNotExist as e:
return Response(
{'error:': "Expense_part with id " + str(e) + " does not exist"},
status=status.HTTP_400_BAD_REQUEST
)
if has_permission("attest-*", request) or \
has_permission("attest-" + part.budget_line.cost_centre.committee.name, request):
if part.attested_by is None:
part.attested_by = Profile.objects.get(user=request.user)
part.attest_date = date.today()
expense_parts_to_be_saved.append(part)
else:
return Response(
{'error': "You don't have permission to attest part with id " + str(part.id)},
status=status.HTTP_403_FORBIDDEN
)
for part in expense_parts_to_be_saved:
part.save()
return Response(status=status.HTTP_200_OK)
def may_account(exp, request):
if has_permission("accounting-*", request):
return True
for part in exp.expensepart_set.all():
if has_permission("accounting-" + part.budget_line.cost_centre.committee.name, request):
return True
return False
def may_attest_expense(exp, request):
if has_permission("attest-*", request):
return True
for part in ExpensePart.objects.filter(expense=exp):
if has_permission("attest-" + part.budget_line.cost_centre.committee.name, request):
return True
return False
def may_view_expense(request, expense):
if expense.owner.user.username == request.user.username or dauth.has_permission(
'pay', request):
return True
for committee in expense.committees():
if dauth.has_permission('attest-' + committee.name.lower(), request) or \
dauth.has_permission('accounting-' + committee.name.lower(), request):
return True
return False
def may_account(exp, request):
if has_permission("accounting-*", request):
return True
for part in exp.expensepart_set.all():
if has_permission(
"accounting-" + part.budget_line.cost_centre.committee.name,
request):
return True
return False
def may_view_expense(exp, request):
# Helper method
if request.user == exp.owner.user:
return True
if has_permission("attest-*", request):
return True
for part in exp.expensepart_set.all():
if has_permission("attest-" + part.budget_line.cost_centre.committee.name, request):
return True
return False
def create(self, request, **kwargs):
if has_permission("pay", request.user):
try:
json_args = json.loads(request.POST['json'])
total = 0
for exp_id in json_args['expense_ids']:
total += Expense.objects.get(id=exp_id).compute_total()
payment = Payment(date=date.today(),
payer=Profile.objects.get(user=request.user),
receiver=Expense.objects.get(
id=json_args['expense_ids'][0]).owner,
account_id=json_args['account_id'],
sum=total)
payment.save()
for exp_id in json_args['expense_ids']:
exp = Expense.objects.get(id=exp_id)
exp.reimbursement = payment
exp.save()
except KeyError:
return Response(status=status.HTTP_400_BAD_REQUEST)
else:
return Response(status=status.HTTP_403_FORBIDDEN)
def payments(self, request, username, **kwargs):
if request.user.username is username or has_permission("admin", request):
return Response({
'payments': [payment.to_dict() for payment in Payment.objects.filter(receiver__user__username=username)]
})
else:
return Response(status=status.HTTP_403_FORBIDDEN)
def create(self, request, **kwargs):
if has_permission("pay", request.user):
try:
json_args = json.loads(request.POST['json'])
total = 0
for exp_id in json_args['expense_ids']:
total += Expense.objects.get(id=exp_id).compute_total()
payment = Payment(
date=date.today(),
payer=Profile.objects.get(user=request.user),
receiver=Expense.objects.get(id=json_args['expense_ids'][0]).owner,
account_id=json_args['account_id'],
sum=total
)
payment.save()
for exp_id in json_args['expense_ids']:
exp = Expense.objects.get(id=exp_id)
exp.reimbursement = payment
exp.save()
except KeyError:
return Response(status=status.HTTP_400_BAD_REQUEST)
else:
return Response(status=status.HTTP_403_FORBIDDEN)
def list(self, request, **kwargs):
if has_permission("admin", request):
return Response({
'payments': [payment.to_dict() for payment in Payment.objects.all()]
})
else:
return Response(status=status.HTTP_403_FORBIDDEN)
def list(self, request, **kwargs):
if has_permission("admin", request):
return Response({
'payments':
[payment.to_dict() for payment in Payment.objects.all()]
})
else:
return Response(status=status.HTTP_403_FORBIDDEN)
def destroy(self, request, pk, **kwargs):
try:
exp = Expense.objects.get(id=int(pk))
except ValueError as e:
return Response(status=status.HTTP_400_BAD_REQUEST)
except ObjectDoesNotExist as e:
return Response(status=status.HTTP_404_NOT_FOUND)
if request.user is exp.owner.user or has_permission("admin", request):
exp.delete()
return Response(status=status.HTTP_200_OK)
else:
return Response(status=status.HTTP_403_FORBIDDEN)
def pay_overview(request):
if not dauth.has_permission('pay', request):
return HttpResponseForbidden("Du har inte rättigheterna för att se den här sidan")
context = {
'payable_expenses': models.Expense.objects.filter(reimbursement=None)
.exclude(expensepart__attested_by=None).order_by('owner__user__username'),
'accounts': models.BankAccount.objects.all().order_by('name')}
if request.GET:
context['payment'] = models.Payment.objects.get(id=int(request.GET['payment']))
return render(request, 'expenses/action_pay.html', context)
def add_budget(request, year):
if not dauth.has_permission('admin', request):
return HttpResponseForbidden()
if request.method == 'POST':
try:
year = models.Year.objects.get(name=year)
except ObjectDoesNotExist:
raise Http404("Året finns inte")
budget = json.loads(request.body.decode('utf-8'))
for committee in budget:
try:
committee_object = models.Committee.objects.get(year=year, name=committee)
except ObjectDoesNotExist:
committee_object = models.Committee(year=year, name=committee)
committee_object.save()
for cost_centre in budget[committee]:
try:
costcentre_object = models.CostCentre.objects.get(committee=committee_object, name=cost_centre)
except ObjectDoesNotExist:
costcentre_object = models.CostCentre(committee=committee_object, name=cost_centre)
costcentre_object.save()
for budget_line in budget[committee][cost_centre]:
try:
budgetline_object = models.BudgetLine.objects.get(cost_centre=costcentre_object,
name=budget_line)
except ObjectDoesNotExist:
budgetline_object = models.BudgetLine(cost_centre=costcentre_object, name=budget_line)
if 'amount' in budget[committee][cost_centre][budget_line]:
budgetline_object.amount = budget[committee][cost_centre][budget_line]['amount']
if 'spent' in budget[committee][cost_centre][budget_line]:
budgetline_object.spent = budget[committee][cost_centre][budget_line]['spent']
budgetline_object.save()
for booking_account in budget[committee][cost_centre][budget_line]['booking']:
try:
bookingaccount_object = models.BookingAccount.objects.get(number=int(booking_account))
except ObjectDoesNotExist:
bookingaccount_object = models.BookingAccount(number=int(booking_account), name="")
bookingaccount_object.save()
bookingaccount_object.budgetlines.add(budgetline_object)
return JsonResponse({"response": "Success"})
else:
raise Http404()
def retrieve(self, request, username, **kwargs):
"""
Returns a JSON representation of the user with the specified username
:param request: HTTP request
:param username: Username to retrieve
"""
# Retrieve user
try:
person = Profile.objects.get(user__username=username)
except ValueError:
return Response(status=status.HTTP_400_BAD_REQUEST)
except ObjectDoesNotExist:
return Response(status=status.HTTP_404_NOT_FOUND)
# Check permissions
if person.user.username == request.user.username or has_permission("pay", request):
return Response({'user': person.to_dict()})
else:
return Response(status=status.HTTP_403_FORBIDDEN)
def destroy(self, request, pk, **kwargs):
"""
Delete the comment with the provided ID
:param request: HTTP request
:param pk: Comment ID to delete
"""
# Retrieve comment
try:
c = Comment.objects.get(id=int(pk))
except ValueError:
return Response(status=status.HTTP_400_BAD_REQUEST)
except ObjectDoesNotExist:
return Response(status=status.HTTP_404_NOT_FOUND)
# Check if user is eligible to destroy it
if c.author is request.user or has_permission("admin", request):
c.delete()
return Response(status=status.HTTP_200_OK)
# If not, 403
return Response(status=status.HTTP_403_FORBIDDEN)
def destroy(self, request, pk, **kwargs):
"""
Delete the comment with the provided ID
:param request: HTTP request
:param pk: Comment ID to delete
"""
# Retrieve comment
try:
c = Comment.objects.get(id=int(pk))
except ValueError:
return Response(status=status.HTTP_400_BAD_REQUEST)
except ObjectDoesNotExist:
return Response(status=status.HTTP_404_NOT_FOUND)
# Check if user is eligible to destroy it
if c.author is request.user or has_permission("admin", request):
c.delete()
return Response(status=status.HTTP_200_OK)
# If not, 403
return Response(status=status.HTTP_403_FORBIDDEN)
def confirm_expense(request, pk):
if request.method == 'POST':
try:
expense = Expense.objects.get(pk=pk)
if not dauth.has_permission('confirm', request):
return HttpResponseForbidden("Du har inte rättigheterna för att se den här sidan")
expense.confirmed_by = request.user
expense.confirmed_at = date.today()
expense.save()
comment = Comment(
expense=expense,
author=request.user.profile,
content='Jag bekräftar att kvittot finns i pärmen.'
)
comment.save()
return HttpResponseRedirect(reverse('admin-confirm'))
except ObjectDoesNotExist:
raise Http404("Utlägget finns inte")
else:
raise Http404()
def confirm_expense(request, pk):
if request.method == 'POST':
try:
expense = Expense.objects.get(pk=pk)
if not dauth.has_permission('confirm', request):
return HttpResponseForbidden("Du har inte rättigheterna för att se den här sidan")
expense.confirmed_by = request.user
expense.confirmed_at = date.today()
expense.save()
comment = Comment(
expense=expense,
author=request.user.profile,
content='Jag bekräftar att kvittot finns i pärmen.'
)
comment.save()
return HttpResponseRedirect(reverse('admin-confirm'))
except ObjectDoesNotExist:
raise Http404("Utlägget finns inte")
else:
raise Http404()
def may_view_user(request, user_to_view):
return (request.user == user_to_view) or \
has_permission('pay', request) or \
(len(request.user.profile.may_account()) > 0)
