* Bill types added in Bill and Project Model, Implemented in BillForm
* import and export bill feature updated with bill type, tests modified to reflect the behavior
* eliminating unnecessary bill type
* typo fixed, test cases fixed for the current bill types
* button added
* settle button added
* new changes
* test cases added
* bchen-reimbursement
* tests for different bill types
* test cases fixed
* fixed reimbursement test case
* Replaced assertEqual with assert
* Fixed missing bill_type in unit tests
* Removed commented code
* Reverted unnecessary string edit
* Changed bill_type to an Enum
* Added test checking correct bill_type validation
* Fixed billtype displaying in all caps
* Removed 'Transfer' bill type
* Added migration rule and set default bill_type in alembic
* bill_type is now an optional parameter in the BillForm
* Use enum name instead of value as SQL server_default
SQLAlchemy uses the Enum names in the database, as the values could be
generic python objects.
https://docs.sqlalchemy.org/en/20/core/type_basics.html#sqlalchemy.types.Enum
* Removed bill type from the Bills html table
* Replaced string bill type with enum
* Made "Settlement" translatable
* Manually handle the new Enum creation
Alembic does not handle postgres Enums correctly, so we need to manually
generate the new enum type.
See https://github.com/sqlalchemy/alembic/issues/278
---------
Co-authored-by: Ruitao Li <ruital@andrew.cmu.edu>
Co-authored-by: MelodyZhangYiqun <98992024+MelodyZhangYiqun@users.noreply.github.com>
Co-authored-by: Ruitao Li <49292515+FlowingCloudRTL@users.noreply.github.com>
Co-authored-by: MelodyZhangYiqun <yiqunz@andrew.cmu.edu>
Co-authored-by: Brandan Chen <bychen@andrew.cmu.edu>
Co-authored-by: Emilie Zhou <54161959+ez157@users.noreply.github.com>
Co-authored-by: Tom <tom.roussel@esat.kuleuven.be>
* hotfix: hardcode list of currencies to workaround failing API calls
See https://github.com/spiral-project/ihatemoney/issues/1232 for a discussion on currencies
* Temporarily disable some currency operations to prevent crashes
Here is what is disabled:
- setting or changing the default currency on an existing project
- adding or editing a bill with a currency that differs from the default
currency of the project
---------
Co-authored-by: Baptiste Jonglez <git@bitsofnetworks.org>
- replace setUp/tearDown with pytest fixtures
- rename test classes to use the pytest convention
- use pytest assertions
Co-authored-by: Glandos <bugs-github@antipoul.fr>
Adds two configuration parameters that are passed to
generate_password_hash:
- PASSWORD_HASH_METHOD
- PASSWORD_HASH_SALT_LENGTH
The unit tests use high-speed low-security values and
gain 50% speed.
Also move the "invitation link" option first, because it's the preferred
way to give access to people that only need to handle participants and
bills.
Sharing the identifier and private becomes the last option, because it
gives full access to changing settings.
This is something we had documented in our security documentation [1], but
we didn't actually do it...
As mentioned in [1], this has good security properties: you can invite
somebody with an invitation link, and they will be able to access the
project but not change the private code (because they don't know the
current private code).
This new check also applies to all other settings (email address, history
settings, currency), which is desirable. Only somebody with knowledge of
the private code can now change these settings.
[1] https://ihatemoney.readthedocs.io/en/latest/security.html#giving-access-to-a-project
`self.assertTrue(200, resp.status_code)` style are always True
and thus are useless. It looks like the original author wanted
`self.assertEqual` there instead.
Bills with an amount of zero may be useful to remember that a transaction
happened on a specific date, while the amount doesn't matter.
I use that with per-year projects when a reimbursement happens in year N
but is relative to year N-1: I record it with an amount of zero in the
project of year N, and with the real amount in the project of year N-1.
Besides, it's already possible to create such bills: while "0" is refused,
"0.0" is accepted. There are no visible issues with this kind of bills.
This is only needed for unsecure spreadsheet applications (hi Google Docs and MS Excel) that load formulae by default.
See https://owasp.org/www-community/attacks/CSV_Injection for some mitigation explanation. This is not complete, but it should be OK for now.
* get weight sum along with bills to scale
otherwise, we need to get the weight sum for each displayed bill.
Here, we are much more scalable
* add test
* format
* remove unused import
* oops, restore pagination to 100
* add comments
* format
* rename method to make it clearer
And also, make it static, since it doesn't rely on instance.
* improve comments and naming
* improve naming
* missing article
* Change the way we import datetime
This makes it easier to use datetime.date later.
* Display monthly statistics for the range of months where the project was active
Currently, we display a hard-coded "one year" range of monthly statistics
starting from today. This generally is not the intended behaviour: for
instance, on an archived project, the bills might all be older than one
year, so the table only displays months without any operation.
Instead, display all months between the first and last bills. There might
be empty months in the middle, but that's intended, because we want all
months to be consecutive.
If there are no bills, simply display an empty table.
Co-authored-by: Baptiste Jonglez <git@bitsofnetworks.org>
* Do not require a captcha when using the API
This was trickier than expected, due to some side effects : when the
captcha is set to `True` via configuration, it doesn't change the
behavior directly of the ProjectForm class, but does so only when the
project form is used in the `web.py` module.
So, when just using the API (and not using the web.py module, for
instance during tests — manual or functional), no problem was shown,
and everything was working properly.
But at soon as somebody sees the "/" endpoint, the captcha was
required, by both the API and the `web.py` module.
This fixes it by adding a way to bypass the captcha with a new
`bypass_captcha` property on the form.
Prior to this commit, things were done by activating or deactivating a
"captcha" property on the class on-the-fly, which caused side-effects.
This is now using subclasses, which makes the code simpler to
understand, and less prone to side-effects.
Thanks @zorun for the idea.
