Test that the users belong the project before settling

2025-04-28 17:32:38 +02:00 · 2025-01-05 19:47:53 +01:00 · 2025-01-05 19:47:53 +01:00 · 2ec8924e4c
commit 2ec8924e4c
parent 87112ec9d1
3 changed files with 16 additions and 7 deletions
--- a/ihatemoney/models.py
+++ b/ihatemoney/models.py
@ -447,6 +447,10 @@ class Project(db.Model):
            db.session.commit()
        return person

+    def has_member(self, member_id):
+        person = Person.query.get(member_id, self)
+        return person is not None
+
    def remove_project(self):
        # We can't import at top level without circular dependencies
        from ihatemoney.history import purge_history
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@ -1470,8 +1470,8 @@ class TestBudget(IhatemoneyTestCase):
        pirate = models.Person.query.filter(models.Person.id == 5).one()
        assert pirate.name == "pirate"

-        # Try to add a new bill in another project
-        self.client.post(
+        # Try to add a new bill to another project
+        resp = self.client.post(
            "/raclette/add",
            data={
                "date": "2017-01-01",
@ -1488,7 +1488,7 @@ class TestBudget(IhatemoneyTestCase):

        # Try to add a new bill in our project that references members of another project.
        # First with invalid payed_for IDs.
-        self.client.post(
+        resp = self.client.post(
            "/tartiflette/add",
            data={
                "date": "2017-01-01",
@ -1630,7 +1630,7 @@ class TestBudget(IhatemoneyTestCase):
        member = models.Person.query.filter(models.Person.id == 1).one_or_none()
        assert member is None

-        # test new settle endpoint to add bills with wrong payer / payed_for
+        # test new settle endpoint to add bills with wrong ids
        self.client.post("/exit")
        self.client.post(
            "/authenticate", data={"id": "tartiflette", "password": "tartiflette"}
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@ -874,13 +874,18 @@ def add_settlement_bill():
        )
        return redirect(url_for(".settle_bill"))

-    # TODO: check that sender and receiver ID are valid and part of this project
+    # Ensure that the sender and receiver ID are valid and part of this project
+    receiver_id = form.receiver_id.data
+    sender_id = form.sender_id.data
+
+    if not g.project.has_member(sender_id):
+        return redirect(url_for(".settle_bill"))

    settlement = Bill(
        amount=form.amount.data,
        date=datetime.datetime.today(),
-        owers=[Person.query.get(form.receiver_id.data)],
-        payer_id=form.sender_id.data,
+        owers=[Person.query.get(receiver_id, g.project)],
+        payer_id=sender_id,
        project_default_currency=g.project.default_currency,
        bill_type=BillType.REIMBURSEMENT,
        what=_("Settlement"),