Merge 01d515c07f into 61ea1f54d2

Update psycopg2-binary requirement
Updates the requirements on [psycopg2-binary](https://github.com/psycopg/psycopg2) to permit the latest version. - [Changelog](https://github.com/psycopg/psycopg2/blob/master/NEWS) - [Commits](https://github.com/psycopg/psycopg2/compare/2.9.6...2.9.10) --- updated-dependencies: - dependency-name: psycopg2-binary dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
2025-05-14 16:31:49 +02:00 · 2024-12-23 21:26:17 +01:00 · 2024-12-23 21:26:07 +01:00 · 2024-12-23 21:24:04 +01:00 · 2024-12-23 21:23:54 +01:00 · 2024-12-23 21:23:33 +01:00
6 changed files with 166 additions and 31 deletions
--- a/ihatemoney/forms.py
+++ b/ihatemoney/forms.py
@ -14,6 +14,8 @@ from wtforms.fields import (
    BooleanField,
    DateField,
    DecimalField,
+    HiddenField,
+    IntegerField,
    Label,
    PasswordField,
    SelectField,
@ -437,6 +439,22 @@ class BillForm(FlaskForm):
            raise ValidationError(msg)


+class HiddenCommaDecimalField(HiddenField, CommaDecimalField):
+    pass
+
+
+class HiddenIntegerField(HiddenField, IntegerField):
+    pass
+
+
+class SettlementForm(FlaskForm):
+    """Used internally for validation, not directly visible to users"""
+
+    amount = HiddenCommaDecimalField("Amount", validators=[DataRequired()])
+    sender_id = HiddenIntegerField("Sender", validators=[DataRequired()])
+    receiver_id = HiddenIntegerField("Receiver", validators=[DataRequired()])
+
+
 class MemberForm(FlaskForm):
    name = StringField(_("Name"), validators=[DataRequired()], filters=[strip_filter])

--- a/ihatemoney/templates/settle_bills.html
+++ b/ihatemoney/templates/settle_bills.html
@ -11,15 +11,20 @@
    <table id="bill_table" class="split_bills table table-striped">
        <thead><tr><th>{{ _("Who pays?") }}</th><th>{{ _("To whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Settled?") }}</th></tr></thead>
    <tbody>
-    {% for bill in bills %}
-    <tr receiver={{bill.receiver.id}}>
-            <td>{{ bill.ower }}</td>
-            <td>{{ bill.receiver }}</td>
-            <td>{{ bill.amount|currency }}</td>
+    {% for transaction in transactions %}
+    <tr>
+            <td>{{ transaction.ower }}</td>
+            <td>{{ transaction.receiver }}</td>
+            <td>{{ transaction.amount|currency }}</td>
            <td>
                <span id="settle-bill" class="ml-auto pb-2">
-                    <a href="{{ url_for('.settle', amount = bill.amount, ower_id = bill.ower.id, payer_id = bill.receiver.id) }}" class="btn btn-primary">
-                        {{ ("Settle") }}
+                    <form class="" action="{{ url_for(".add_settlement_bill") }}" method="POST">
+                        {{ settlement_form.csrf_token }}
+                        {{ settlement_form.amount(value=transaction.amount) }}
+                        {{ settlement_form.sender_id(value=transaction.ower.id) }}
+                        {{ settlement_form.receiver_id(value=transaction.receiver.id) }}
+                        <button class="btn btn-primary" type="submit" title="{{ _("Settle") }}">{{ _("Settle") }}</button>
+                    </form>
                    </a>
                </span>
            </td>
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@ -1358,23 +1358,25 @@ class TestBudget(IhatemoneyTestCase):
        count = 0
        for t in transactions:
            count += 1
-            self.client.get(
-                "/raclette/settle"
-                + "/"
-                + str(t["amount"])
-                + "/"
-                + str(t["ower"].id)
-                + "/"
-                + str(t["receiver"].id)
+            self.client.post(
+                "/raclette/settle",
+                data={
+                    "amount": t["amount"],
+                    "sender_id": t["ower"].id,
+                    "receiver_id": t["receiver"].id,
+                },
            )
            temp_transactions = project.get_transactions_to_settle_bill()
            # test if the one has disappeared
            assert len(temp_transactions) == len(transactions) - count

-            # test if theres a new one with bill_type reimbursement
+            # test if there is a new one with bill_type reimbursement
            bill = project.get_newest_bill()
            assert bill.bill_type == models.BillType.REIMBURSEMENT
-        return
+
+        # There should be no more settlement to do at the end
+        transactions = project.get_transactions_to_settle_bill()
+        assert len(transactions) == 0

    def test_settle_zero(self):
        self.post_project("raclette")
@ -1463,6 +1465,78 @@ class TestBudget(IhatemoneyTestCase):
        # Create and log in as another project
        self.post_project("tartiflette")

+        # Add a participant in this second project
+        self.client.post("/tartiflette/members/add", data={"name": "pirate"})
+        pirate = models.Person.query.filter(models.Person.id == 5).one()
+        assert pirate.name == "pirate"
+
+        # Try to add a new bill in another project
+        self.client.post(
+            "/raclette/add",
+            data={
+                "date": "2017-01-01",
+                "what": "fromage frelaté",
+                "payer": 2,
+                "payed_for": [2, 3, 4],
+                "bill_type": "Expense",
+                "amount": "100.0",
+            },
+        )
+        # Ensure it has not been created
+        raclette = self.get_project("raclette")
+        assert raclette.get_bills().count() == 1
+
+        # Try to add a new bill in our project that references members of another project.
+        # First with invalid payed_for IDs.
+        self.client.post(
+            "/tartiflette/add",
+            data={
+                "date": "2017-01-01",
+                "what": "soupe",
+                "payer": 5,
+                "payed_for": [3],
+                "bill_type": "Expense",
+                "amount": "5000.0",
+            },
+        )
+        # Ensure it has not been created
+        piratebill = models.Bill.query.filter(models.Bill.what == "soupe").one_or_none()
+        assert piratebill is None, "piratebill 1 should not exist"
+
+        # Then with invalid payer ID
+        self.client.post(
+            "/tartiflette/add",
+            data={
+                "date": "2017-02-01",
+                "what": "pain",
+                "payer": 3,
+                "payed_for": [5],
+                "bill_type": "Expense",
+                "amount": "5000.0",
+            },
+        )
+        # Ensure it has not been created
+        piratebill = models.Bill.query.filter(models.Bill.what == "pain").one_or_none()
+        assert piratebill is None, "piratebill 2 should not exist"
+
+        # Make sure we can actually create valid bills
+        self.client.post(
+            "/tartiflette/add",
+            data={
+                "date": "2017-03-01",
+                "what": "baguette",
+                "payer": 5,
+                "payed_for": [5],
+                "bill_type": "Expense",
+                "amount": "5.0",
+            },
+        )
+        # Ensure it has been created
+        okbill = models.Bill.query.filter(models.Bill.what == "baguette").one_or_none()
+        assert okbill is not None, "Bill baguette should exist"
+        assert okbill.what == "baguette"
+
+        # Now try to access and modify existing bills
        modified_bill = {
            "date": "2018-12-31",
            "what": "roblochon",
@ -1556,6 +1630,24 @@ class TestBudget(IhatemoneyTestCase):
        member = models.Person.query.filter(models.Person.id == 1).one_or_none()
        assert member is None

+        # test new settle endpoint to add bills with wrong payer / payed_for
+        self.client.post("/exit")
+        self.client.post(
+            "/authenticate", data={"id": "tartiflette", "password": "tartiflette"}
+        )
+        self.client.post(
+            "/tartiflette/settle",
+            data={
+                "sender_id": 4,
+                "receiver_id": 5,
+                "amount": "42.0",
+            },
+        )
+        piratebill = models.Bill.query.filter(
+            models.Bill.bill_type == models.BillType.REIMBURSEMENT
+        ).one_or_none()
+        assert piratebill is None, "piratebill 3 should not exist"
+
    @pytest.mark.skip(reason="Currency conversion is broken")
    def test_currency_switch(self):
        # A project should be editable
--- a/ihatemoney/utils.py
+++ b/ihatemoney/utils.py
@ -452,7 +452,9 @@ def format_form_errors(form, prefix):
        )
    else:
        error_list = "</li><li>".join(
-            str(error) for (field, errors) in form.errors.items() for error in errors
+            f"<strong>{field}</strong> {error}"
+            for (field, errors) in form.errors.items()
+            for error in errors
        )
        errors = f"<ul><li>{error_list}</li></ul>"
        # I18N: Form error with a list of errors
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@ -56,6 +56,7 @@ from ihatemoney.forms import (
    ProjectForm,
    ProjectFormWithCaptcha,
    ResetPasswordForm,
+    SettlementForm,
    get_billform_for,
 )
 from ihatemoney.history import get_history, get_history_queries, purge_history
@ -852,24 +853,41 @@ def change_lang(lang):
@main.route("/<project_id>/settle_bills")
 def settle_bill():
    """Compute the sum each one have to pay to each other and display it"""
-    bills = g.project.get_transactions_to_settle_bill()
-    return render_template("settle_bills.html", bills=bills, current_view="settle_bill")
+    transactions = g.project.get_transactions_to_settle_bill()
+    settlement_form = SettlementForm()
+    return render_template(
+        "settle_bills.html",
+        transactions=transactions,
+        settlement_form=settlement_form,
+        current_view="settle_bill",
+    )


-@main.route("/<project_id>/settle/<amount>/<int:ower_id>/<int:payer_id>")
-def settle(amount, ower_id, payer_id):
-    new_reinbursement = Bill(
-        amount=float(amount),
+@main.route("/<project_id>/settle", methods=["POST"])
+def add_settlement_bill():
+    """Create a bill to register a settlement"""
+    form = SettlementForm(id=g.project.id)
+    if not form.validate():
+        flash(
+            format_form_errors(form, _("Error creating settlement bill")),
+            category="danger",
+        )
+        return redirect(url_for(".settle_bill"))
+
+    # TODO: check that sender and receiver ID are valid and part of this project
+
+    settlement = Bill(
+        amount=form.amount.data,
        date=datetime.datetime.today(),
-        owers=[Person.query.get(payer_id)],
-        payer_id=ower_id,
+        owers=[Person.query.get(form.receiver_id.data)],
+        payer_id=form.sender_id.data,
        project_default_currency=g.project.default_currency,
        bill_type=BillType.REIMBURSEMENT,
        what=_("Settlement"),
    )
    session.update()

-    db.session.add(new_reinbursement)
+    db.session.add(settlement)
    db.session.commit()

    flash(_("Settlement bill has been successfully added"), category="success")
--- a/pyproject.toml
+++ b/pyproject.toml
@ -27,7 +27,7 @@ classifiers = [

 dependencies = [
    "blinker>=1.4,<2",
-    "cachetools>=4.1,<5",
+    "cachetools>=4.1,<6",
    "debts>=0.5,<1",
    "email_validator>=1.0,<3",
    "Flask>=2,<4",
@ -43,7 +43,7 @@ dependencies = [
    "itsdangerous>=2,<3",
    "Jinja2>=3,<4",
    "python-dateutil",
-    "qrcode>=7.1,<8",
+    "qrcode>=7.1,<9",
    "requests>=2.25,<3",
    "SQLAlchemy>=1.3.0,<1.5",
    "SQLAlchemy-Continuum>=1.3.12,<2", # New 1.4 changes API, see #728
@ -53,11 +53,11 @@ dependencies = [
 [project.optional-dependencies]
 database = [
    # Python 3.11 support starts in 2.9.2
-    "psycopg2-binary>=2.9.2,<2.9.9",
+    "psycopg2-binary>=2.9.2,<2.9.11",
    "PyMySQL>=0.9,<1.2",
 ]
 dev = [
-    "ruff==0.6.8",
+    "ruff==0.8.4",
    "flake8==5.0.4",
    "isort==5.11.5",
    "vermin==1.6.0",
Author	SHA1	Message	Date
zorun	34d5a0032c	Merge `01d515c07f` into `61ea1f54d2`	2024-12-23 21:26:17 +01:00
dependabot[bot]	61ea1f54d2	Update psycopg2-binary requirement Some checks are pending CI / lint (push) Waiting to run Details CI / test (mariadb, minimal, 3.11) (push) Blocked by required conditions Details CI / test (mariadb, normal, 3.11) (push) Blocked by required conditions Details CI / test (mariadb, normal, 3.9) (push) Blocked by required conditions Details CI / test (postgresql, minimal, 3.11) (push) Blocked by required conditions Details CI / test (postgresql, normal, 3.11) (push) Blocked by required conditions Details CI / test (postgresql, normal, 3.9) (push) Blocked by required conditions Details CI / test (sqlite, minimal, 3.10) (push) Blocked by required conditions Details CI / test (sqlite, minimal, 3.11) (push) Blocked by required conditions Details CI / test (sqlite, minimal, 3.12) (push) Blocked by required conditions Details CI / test (sqlite, minimal, 3.9) (push) Blocked by required conditions Details CI / test (sqlite, normal, 3.10) (push) Blocked by required conditions Details CI / test (sqlite, normal, 3.11) (push) Blocked by required conditions Details CI / test (sqlite, normal, 3.12) (push) Blocked by required conditions Details CI / test (sqlite, normal, 3.8) (push) Blocked by required conditions Details CI / test (sqlite, normal, 3.9) (push) Blocked by required conditions Details CI / docs (push) Waiting to run Details Docker build / test (push) Waiting to run Details Docker build / build_upload (push) Blocked by required conditions Details Updates the requirements on [psycopg2-binary](https://github.com/psycopg/psycopg2) to permit the latest version. - [Changelog](https://github.com/psycopg/psycopg2/blob/master/NEWS) - [Commits](https://github.com/psycopg/psycopg2/compare/2.9.6...2.9.10) --- updated-dependencies: - dependency-name: psycopg2-binary dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-23 21:26:07 +01:00
dependabot[bot]	299c384908	Bump ruff from 0.6.8 to 0.8.4 Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.8 to 0.8.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.8...0.8.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-23 21:24:04 +01:00
dependabot[bot]	4e9ff9b1ac	Update qrcode requirement from <8,>=7.1 to >=7.1,<9 Updates the requirements on [qrcode](https://github.com/lincolnloop/python-qrcode) to permit the latest version. - [Changelog](https://github.com/lincolnloop/python-qrcode/blob/main/CHANGES.rst) - [Commits](https://github.com/lincolnloop/python-qrcode/compare/v7.1...v8.0) --- updated-dependencies: - dependency-name: qrcode dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-23 21:23:54 +01:00
dependabot[bot]	2aa410c68f	Update cachetools requirement from <5,>=4.1 to >=4.1,<6 Updates the requirements on [cachetools](https://github.com/tkem/cachetools) to permit the latest version. - [Changelog](https://github.com/tkem/cachetools/blob/master/CHANGELOG.rst) - [Commits](https://github.com/tkem/cachetools/compare/v4.1.0...v5.5.0) --- updated-dependencies: - dependency-name: cachetools dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-23 21:23:33 +01:00
Baptiste Jonglez	01d515c07f	Add security-related test to the new settle endpoint	2024-03-31 19:55:43 +02:00
Baptiste Jonglez	9a848588c8	tests: add more validation against cross-project access	2024-03-31 19:55:43 +02:00
Baptiste Jonglez	278a976501	Change settle endpoint to use POST instead of GET This is necessary to avoid XSS. State-changing actions should never be done with a GET.	2024-03-31 19:55:43 +02:00
Baptiste Jonglez	b09b9c1629	utils: improve error message when form field validation fails	2024-03-31 19:55:43 +02:00
Baptiste Jonglez	9b01f69e5c	settle_bills: fix HTML	2024-03-31 19:55:43 +02:00
Baptiste Jonglez	d6291a97e6	Settlement: rename variables to make the code more understandable	2024-03-31 19:55:40 +02:00