Do not allow the edition of bills involving deactivated users

This is also true for deletion. Once a user is deactivated, all the related bills shouldn't be able to move.
2025-04-28 17:32:38 +02:00 · 2022-12-10 16:57:17 -05:00 · 2022-12-10 16:57:17 -05:00 · 1621a45336
commit 1621a45336
parent bd689f931a
4 changed files with 154 additions and 2 deletions
--- a/ihatemoney/models.py
+++ b/ihatemoney/models.py
@ -752,6 +752,22 @@ class Bill(db.Model):
        else:
            return 0
    @property
    def involves_deactivated_members(self):
        """Check whether the bill contains deactivated member.
        Return:
        True if it contains deactivated member,
        False if not.
        """
        owers_id = [int(m.id) for m in self.owers]
        bill_members = owers_id + [self.payer_id]
        deactivated_members_count = (
            Person.query.filter(Person.id.in_(bill_members))
            .filter(Person.activated.is_(False))
            .count()
        )
        return deactivated_member_count != 0
    def __str__(self):
        return self.what
--- a/ihatemoney/templates/list_bills.html
+++ b/ihatemoney/templates/list_bills.html
@ -148,10 +148,22 @@
                    </span>
                </td>
                <td class="bill-actions d-flex align-items-center">
-                    <a class="edit" href="{{ url_for(".edit_bill", bill_id=bill.id) }}" title="{{ _("edit") }}">{{ _('edit') }}</a>
+                    <a class="edit" href="{{ url_for(".edit_bill", bill_id=bill.id) }}" data-toggle="tooltip"
                        {% if bill.involves_deactivated_members %}
                            title="Cannot be edited as deactivated members involved"
                        {% else %}
                            title="Click to edit this bill"
                        {% endif %}
                    >{{ _('edit') }}</a>
                    <form class="delete-bill" action="{{ url_for(".delete_bill", bill_id=bill.id) }}" method="POST">
                        {{ csrf_form.csrf_token }}
-                        <button class="action delete" type="submit" title="{{ _("delete") }}"></button>
+                        <button class="action delete" type="submit" data-toggle="tooltip"
                            {% if bill.involves_deactivated_members %}
                                title="Cannot be deleted as deactivated members involved"
                            {% else %}
                                title="Click to delete this bill"
                            {% endif %}
                        ></button>
                    </form>
                    {% if bill.external_link %}
                    <a class="show" href="{{ bill.external_link }}" ref="noopener" target="_blank" title="{{ _("show") }}">{{ _('show') }} </a>
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@ -872,6 +872,122 @@ class TestBudget(IhatemoneyTestCase):
        balance = self.get_project("raclette").balance
        assert set(balance.values()) == set([6, -6])
    def test_edit_bill_with_deactivated_member(self):
        """
        Bills involving deactivated members should not allowed to be edited or deleted.
        """
        self.post_project("raclette")
        # add two participants
        self.client.post("/raclette/members/add", data={"name": "zorglub"})
        self.client.post("/raclette/members/add", data={"name": "fred"})
        members_ids = [m.id for m in self.get_project("raclette").members]
        # create one bill
        self.client.post(
            "/raclette/add",
            data={
                "date": "2011-08-10",
                "what": "fromage à raclette",
                "payer": members_ids[0],
                "payed_for": members_ids,
                "amount": "25",
            },
        )
        bill = models.Bill.query.one()
        self.assertEqual(bill.amount, 25)
        # deactivate one user
        self.client.post(
            "/raclette/members/%s/delete" % self.get_project("raclette").members[-1].id
        )
        self.assertEqual(len(self.get_project("raclette").members), 2)
        self.assertEqual(len(self.get_project("raclette").active_members), 1)
        # editing would fail because the bill involves deactivated user
        self.client.post(
            f"/raclette/edit/{bill.id}",
            data={
                "date": "2011-08-10",
                "what": "fromage à raclette",
                "payer": members_ids[0],
                "payed_for": members_ids,
                "amount": "10",
            },
        )
        bill = models.Bill.query.one()
        self.assertNotEqual(bill.amount, 10, "bill edition")
        # reactivate the user
        self.client.post(
            "/raclette/members/%s/reactivate"
            % self.get_project("raclette").members[-1].id
        )
        self.assertEqual(len(self.get_project("raclette").active_members), 2)
        # try to edit the bill again. It should succeed
        self.client.post(
            f"/raclette/edit/{bill.id}",
            data={
                "date": "2011-08-10",
                "what": "fromage à raclette",
                "payer": members_ids[0],
                "payed_for": members_ids,
                "amount": "10",
            },
        )
        bill = models.Bill.query.one()
        self.assertEqual(bill.amount, 10, "bill edition")
    def test_delete_bill_with_deactivated_member(self):
        """
        Bills involving deactivated members should not allowed to be edited or deleted.
        """
        self.post_project("raclette")
        # add two participants
        self.client.post("/raclette/members/add", data={"name": "zorglub"})
        self.client.post("/raclette/members/add", data={"name": "fred"})
        members_ids = [m.id for m in self.get_project("raclette").members]
        # create one bill
        self.client.post(
            "/raclette/add",
            data={
                "date": "2011-08-10",
                "what": "fromage à raclette",
                "payer": members_ids[0],
                "payed_for": members_ids,
                "amount": "25",
            },
        )
        bill = models.Bill.query.one()
        self.assertEqual(bill.amount, 25)
        # deactivate one user
        self.client.post(
            "/raclette/members/%s/delete" % self.get_project("raclette").members[-1].id
        )
        self.assertEqual(len(self.get_project("raclette").active_members), 1)
        # deleting should fail because the bill involves deactivated user
        response = self.client.get(f"/raclette/delete/{bill.id}")
        self.assertEqual(response.status_code, 405)
        self.assertEqual(1, len(models.Bill.query.all()), "bill deletion")
        # reactivate the user
        self.client.post(
            "/raclette/members/%s/reactivate"
            % self.get_project("raclette").members[-1].id
        )
        self.assertEqual(len(self.get_project("raclette").active_members), 2)
        # try to delete the bill again. It should succeed
        self.client.post(f"/raclette/delete/{bill.id}")
        self.assertEqual(0, len(models.Bill.query.all()), "bill deletion")
    def test_trimmed_members(self):
        self.post_project("raclette")
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@ -806,6 +806,10 @@ def delete_bill(bill_id):
    if not bill:
        return redirect(url_for(".list_bills"))
    # Check if the bill contains deactivated member. If yes, stop deleting.
    if bill.involves_deactivated_members:
        return redirect(url_for(".list_bills"))
    db.session.delete(bill)
    db.session.commit()
    flash(_("The bill has been deleted"))
@ -820,6 +824,10 @@ def edit_bill(bill_id):
    if not bill:
        raise NotFound()
    # Check if the bill contains deactivated member. If yes, stop editing.
    if bill.involves_deactivated_members:
        return redirect(url_for(".list_bills"))
    form = get_billform_for(g.project, set_default=False)
    if request.method == "POST" and form.validate():