Do not allow to create negative gift cards through the API

2019-12-12 14:18:47 +01:00
parent 21be22e489
commit e67ff83378
4 changed files with 41 additions and 1 deletions
--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -1,3 +1,5 @@
+from decimal import Decimal
+
 from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
@@ -26,7 +28,7 @@ class SeatingPlanSerializer(I18nAwareModelSerializer):


 class GiftCardSerializer(I18nAwareModelSerializer):
-    value = serializers.DecimalField(max_digits=10, decimal_places=2)
+    value = serializers.DecimalField(max_digits=10, decimal_places=2, min_value=Decimal('0.00'))

    def validate(self, data):
        data = super().validate(data)
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -1,3 +1,5 @@
+from decimal import Decimal
+
 from django.db import transaction
 from rest_framework import filters, serializers, status, viewsets
 from rest_framework.decorators import action
@@ -136,6 +138,10 @@ class GiftCardViewSet(viewsets.ModelViewSet):
        value = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
            request.data.get('value')
        )
+        if gc.value + value < Decimal('0.00'):
+            return Response({
+                'value': ['The gift card does not have sufficient credit for this operation.']
+            }, status=status.HTTP_409_CONFLICT)
        gc.transactions.create(value=value)
        gc.log_action(
            'pretix.giftcards.transaction.manual',
--- a/src/tests/api/test_giftcards.py
+++ b/src/tests/api/test_giftcards.py
@@ -99,6 +99,18 @@ def test_giftcard_patch(token_client, organizer, event, giftcard):
    assert not giftcard.testmode


+@pytest.mark.django_db
+def test_giftcard_patch_min_value(token_client, organizer, event, giftcard):
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/giftcards/{}/'.format(organizer.slug, giftcard.pk),
+        {
+            'value': '-10.00',
+        },
+        format='json'
+    )
+    assert resp.status_code == 400
+
+
@pytest.mark.django_db
 def test_giftcard_transact(token_client, organizer, event, giftcard):
    resp = token_client.post(
@@ -113,6 +125,21 @@ def test_giftcard_transact(token_client, organizer, event, giftcard):
    assert giftcard.value == Decimal('33.00')


+@pytest.mark.django_db
+def test_giftcard_transact_min_zero(token_client, organizer, event, giftcard):
+    resp = token_client.post(
+        '/api/v1/organizers/{}/giftcards/{}/transact/'.format(organizer.slug, giftcard.pk),
+        {
+            'value': '-100.00',
+        },
+        format='json'
+    )
+    assert resp.status_code == 409
+    assert resp.data == {'value': ['The gift card does not have sufficient credit for this operation.']}
+    giftcard.refresh_from_db()
+    assert giftcard.value == Decimal('23.00')
+
+
@pytest.mark.django_db
 def test_giftcard_no_deletion(token_client, organizer, event, giftcard):
    resp = token_client.delete(