Change payment processing to use POST requests

889ea468 · Sébastiaan Versteeg · 31d1b812 · 889ea468 · 889ea468 · 889ea468
Verified Commit 889ea468 authored Aug 28, 2018 by Sébastiaan Versteeg
5 changed files
--- a/website/payments/static/admin/payments/js/payments.js
+++ b/website/payments/static/admin/payments/js/payments.js
+django.jQuery(function () {
+    var $ = django.jQuery;
+    $(".payments-row a").click(function(e) {
+        e.preventDefault();
+        var type = $(e.target).data('type');
+        var href = $(e.target).data('href');
+        var form = $('<form></form>');
+        form.attr("method", "post");
+        form.attr("action", href);
+
+        var field = $('<input/>');
+        field.attr("type", "hidden");
+        field.attr("name", 'type');
+        field.attr("value", type);
+        form.append(field);
+
+        var csrf = $('<input/>');
+        csrf.attr("type", "hidden");
+        csrf.attr("name", 'csrfmiddlewaretoken');
+        csrf.attr("value", $("input[name='csrfmiddlewaretoken']").val());
+        form.append(csrf);
+
+        $(document.body).append(form);
+        form.submit();
+    });
+});
--- a/website/payments/templates/admin/payments/change_form.html
+++ b/website/payments/templates/admin/payments/change_form.html
@@ -6,11 +6,16 @@
    {% compress css %}<link rel="stylesheet" type="text/x-scss" href="{% static 'admin/payments/css/forms.scss' %}" />{% endcompress %}
 {% endblock %}

+{% block extrahead %}
+    {{ block.super }}
+    <script type="text/javascript" src="{% static 'admin/payments/js/payments.js' %}"></script>
+{% endblock %}
+
 {% block submit_buttons_bottom %}
    {% if payment %}
    <div class="submit-row payments-row">
-        <a href="{% url 'payments:admin-process' pk=payment.pk type='cash_payment' %}" class="button process">{% trans "Process (cash payment)" %}</a>
-        <a href="{% url 'payments:admin-process' pk=payment.pk type='card_payment' %}" class="button process">{% trans "Process (card payment)" %}</a>
+        <a data-href="{% url 'payments:admin-process' pk=payment.pk %}" data-type="cash_payment" class="button process">{% trans "Process (cash payment)" %}</a>
+        <a data-href="{% url 'payments:admin-process' pk=payment.pk %}" data-type="card_payment" class="button process">{% trans "Process (card payment)" %}</a>
    </div>
    {% endif %}


--- a/website/payments/tests/test_views.py
+++ b/website/payments/tests/test_views.py
@@ -41,16 +41,20 @@ class PaymentAdminViewTest(TestCase):
        self.client.force_login(self.user)

    def test_permissions(self):
-        url = '/payment/admin/process/{}/cash_payment/'.format(
+        url = '/payment/admin/process/{}/'.format(
            self.payment.pk)
-        response = self.client.get(url)
+        response = self.client.post(url, {
+            'type': 'cash_payment',
+        })
        self.assertRedirects(response, '/admin/login/?next=%s' % url)

        self._give_user_permissions()

-        url = '/payment/admin/process/{}/cash_payment/'.format(
+        url = '/payment/admin/process/{}/'.format(
            self.payment.pk)
-        response = self.client.get(url)
+        response = self.client.post(url, {
+            'type': 'cash_payment',
+        })
        self.assertRedirects(
            response,
            '/admin/payments/payment/%s/change/' % self.payment.pk
@@ -59,7 +63,7 @@ class PaymentAdminViewTest(TestCase):
    @mock.patch('django.contrib.messages.error')
    @mock.patch('django.contrib.messages.success')
    @mock.patch('payments.services.process_payment')
-    def test_get(self, process_payment, messages_success, messages_error):
+    def test_post(self, process_payment, messages_success, messages_error):
        process_payment.return_value = [self.payment]
        payment_qs = Payment.objects.filter(pk=self.payment.pk)

@@ -69,28 +73,48 @@ class PaymentAdminViewTest(TestCase):

            self._give_user_permissions()

-            type = 'cash_payment'
-            response = self.client.get('/payment/admin/process/{}/{}/'
-                                       .format(self.payment.pk, type))
-
-            self.assertEqual(response.status_code, 302)
-            self.assertEqual(
-                response.url,
-                '/admin/payments/payment/%s/change/' % self.payment.pk
-            )
-
-            process_payment.assert_called_once_with(payment_qs, type)
-
-            messages_success.assert_called_once_with(
-                response.wsgi_request, _('Successfully processed %s.') %
-                model_ngettext(self.payment, 1)
-            )
-
-            process_payment.return_value = []
-            response = self.client.get('/payment/admin/process/{}/{}/'
-                                       .format(self.payment.pk, type))
-
-            messages_error.assert_called_once_with(
-                response.wsgi_request, _('Could not process %s.') %
-                model_ngettext(self.payment, 1)
-            )
+            with self.subTest('Send post without payload'):
+                response = self.client.post('/payment/admin/process/{}/'
+                                            .format(self.payment.pk))
+
+                self.assertEqual(response.status_code, 302)
+                self.assertEqual(
+                    response.url,
+                    '/admin/payments/payment/%s/change/' % self.payment.pk
+                )
+
+                process_payment.assert_not_called()
+                messages_error.assert_not_called()
+                messages_success.assert_not_called()
+
+            with self.subTest('Send post with successful processing'):
+                payment_type = 'cash_payment'
+                response = self.client.post('/payment/admin/process/{}/'
+                                            .format(self.payment.pk), {
+                                                'type': payment_type,
+                                            })
+
+                self.assertEqual(response.status_code, 302)
+                self.assertEqual(
+                    response.url,
+                    '/admin/payments/payment/%s/change/' % self.payment.pk
+                )
+
+                process_payment.assert_called_once_with(payment_qs, payment_type)
+
+                messages_success.assert_called_once_with(
+                    response.wsgi_request, _('Successfully processed %s.') %
+                                           model_ngettext(self.payment, 1)
+                )
+
+            with self.subTest('Send post with failed processing'):
+                process_payment.return_value = []
+                response = self.client.post('/payment/admin/process/{}/'
+                                            .format(self.payment.pk), {
+                                                'type': payment_type,
+                                            })
+
+                messages_error.assert_called_once_with(
+                    response.wsgi_request, _('Could not process %s.') %
+                                           model_ngettext(self.payment, 1)
+                )
--- a/website/payments/urls.py
+++ b/website/payments/urls.py
@@ -6,6 +6,6 @@ from .views import PaymentAdminView
 app_name = 'payments'

 urlpatterns = [
-    path('admin/process/<uuid:pk>/<type>/',
+    path('admin/process/<uuid:pk>/',
         PaymentAdminView.as_view(), name='admin-process'),
 ]
--- a/website/payments/views.py
+++ b/website/payments/views.py
@@ -19,10 +19,14 @@ class PaymentAdminView(View):
    """
    View that processes a payment
    """
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
        payment = Payment.objects.filter(pk=kwargs['pk'])
+
+        if not ('type' in request.POST):
+            return redirect('admin:payments_payment_change', kwargs['pk'])
+
        result = services.process_payment(
-            payment, kwargs['type']
+            payment, request.POST['type']
        )

        if len(result) > 0: