added XSRF protection to all forms and associated tests

[bluechips.git] / bluechips / controllers / spend.py
diff --git a/bluechips/controllers/spend.py b/bluechips/controllers/spend.py

index 45db96de46c90cd91907803d3c96fa708276ad76..098ac270ceaad3ca0684a6973d7353f1a3097fda 100644 (file)
--- a/bluechips/controllers/spend.py
+++ b/bluechips/controllers/spend.py
@@ -9,13 +9,14 @@ from decimal import Decimal, InvalidOperation
  from bluechips.lib.base import *
  
  from pylons import request, app_globals as g
-from pylons.decorators.rest import dispatch_on
  from pylons.decorators import validate
+from pylons.decorators.secure import authenticate_form
  from pylons.controllers.util import abort
  
  from formencode import validators, Schema
  from formencode.foreach import ForEach
  from formencode.variabledecode import NestedVariables
+from formencode.schema import SimpleFormValidator
  
  from mailer import Message
  
@@ -29,6 +30,12 @@ class ShareSchema(Schema):
      amount = validators.Number(not_empty=True)
  
  
+def validate_state(value_dict, state, validator):
+    if all(s['amount'] == 0 for s in value_dict['shares']):
+        return {'shares-0.amount': 'Need at least one non-zero share'}
+ValidateNotAllZero = SimpleFormValidator(validate_state)
+
+
  class ExpenditureSchema(Schema):
      "Validate an expenditure."
      allow_extra_fields = False
@@ -38,6 +45,7 @@ class ExpenditureSchema(Schema):
      description = validators.UnicodeString()
      date = validators.DateConverter()
      shares = ForEach(ShareSchema)
+    chained_validators = [ValidateNotAllZero]
      
  
  class SpendController(BaseController):
@@ -57,18 +65,33 @@ class SpendController(BaseController):
              c.values = {}
              for ii, user_row in enumerate(c.users):
                  user_id, user = user_row
+                val = 0
                  if user.resident:
                      val = Decimal(100) / Decimal(num_residents)
-                else:
-                    val = 0
                  c.values['shares-%d.amount' % ii] = val
          else:
              c.title = 'Edit an Expenditure'
              c.expenditure = meta.Session.query(model.Expenditure).get(id)
              if c.expenditure is None:
                  abort(404)
+            c.values = {}
+            for ii, user_row in enumerate(c.users):
+                user_id, user = user_row
+                shares_by_user = dict(((sp.user, sp.share) for sp
+                                       in c.expenditure.splits))
+                share = shares_by_user.get(user, 0)
+                if c.expenditure.amount == 0:
+                    percent = 0
+                else:
+                    percent = (Decimal(100) * Decimal(int(share)) /
+                               Decimal(int(c.expenditure.amount))).\
+                            quantize(Decimal("0.001"))
+                c.values['shares-%d.amount' % ii] = percent
+
          return render('/spend/index.mako')
  
+    @redirect_on_get('edit')
+    @authenticate_form
      @validate(schema=ExpenditureSchema(), form='edit', variable_decode=True)
      def update(self, id=None):
          # Either create a new object, or, if we're editing, get the
@@ -86,8 +109,6 @@ class SpendController(BaseController):
          # Set the fields that were submitted
          shares = self.form_result.pop('shares')
          update_sar(e, self.form_result)
-        if e.id is not None:
-            e.update_split()
  
          users = dict(meta.Session.query(model.User.id, model.User).all())
          split_dict = {}