Change payment processing to use POST requests

website/payments/static/admin/payments/js/payments.js

+django.jQuery(function () {
+    var $ = django.jQuery;
+    $(".payments-row a").click(function(e) {
+        e.preventDefault();
+        var type = $(e.target).data('type');
+        var href = $(e.target).data('href');
+        var form = $('<form></form>');
+        form.attr("method", "post");
+        form.attr("action", href);
+
+        var field = $('<input/>');
+        field.attr("type", "hidden");
+        field.attr("name", 'type');
+        field.attr("value", type);
+        form.append(field);
+
+        var csrf = $('<input/>');
+        csrf.attr("type", "hidden");
+        csrf.attr("name", 'csrfmiddlewaretoken');
+        csrf.attr("value", $("input[name='csrfmiddlewaretoken']").val());
+        form.append(csrf);
+
+        $(document.body).append(form);
+        form.submit();
+    });
+});

website/payments/templates/admin/payments/change_form.html

@@ -6,11 +6,16 @@
     {% compress css %}<link rel="stylesheet" type="text/x-scss" href="{% static 'admin/payments/css/forms.scss' %}" />{% endcompress %}
 {% endblock %}
 
+{% block extrahead %}
+    {{ block.super }}
+    <script type="text/javascript" src="{% static 'admin/payments/js/payments.js' %}"></script>
+{% endblock %}
+
 {% block submit_buttons_bottom %}
     {% if payment %}
     <div class="submit-row payments-row">
-        <a href="{% url 'payments:admin-process' pk=payment.pk type='cash_payment' %}" class="button process">{% trans "Process (cash payment)" %}</a>
-        <a href="{% url 'payments:admin-process' pk=payment.pk type='card_payment' %}" class="button process">{% trans "Process (card payment)" %}</a>
+        <a data-href="{% url 'payments:admin-process' pk=payment.pk %}" data-type="cash_payment" class="button process">{% trans "Process (cash payment)" %}</a>
+        <a data-href="{% url 'payments:admin-process' pk=payment.pk %}" data-type="card_payment" class="button process">{% trans "Process (card payment)" %}</a>
     </div>
     {% endif %}
 

website/payments/tests/test_views.py

@@ -41,16 +41,20 @@ class PaymentAdminViewTest(TestCase):
         self.client.force_login(self.user)
 
     def test_permissions(self):
-        url = '/payment/admin/process/{}/cash_payment/'.format(
+        url = '/payment/admin/process/{}/'.format(
             self.payment.pk)
-        response = self.client.get(url)
+        response = self.client.post(url, {
+            'type': 'cash_payment',
+        })
         self.assertRedirects(response, '/admin/login/?next=%s' % url)
 
         self._give_user_permissions()
 
-        url = '/payment/admin/process/{}/cash_payment/'.format(
+        url = '/payment/admin/process/{}/'.format(
             self.payment.pk)
-        response = self.client.get(url)
+        response = self.client.post(url, {
+            'type': 'cash_payment',
+        })
         self.assertRedirects(
             response,
             '/admin/payments/payment/%s/change/' % self.payment.pk
@@ -59,7 +63,7 @@ class PaymentAdminViewTest(TestCase):
     @mock.patch('django.contrib.messages.error')
     @mock.patch('django.contrib.messages.success')
     @mock.patch('payments.services.process_payment')
-    def test_get(self, process_payment, messages_success, messages_error):
+    def test_post(self, process_payment, messages_success, messages_error):
         process_payment.return_value = [self.payment]
         payment_qs = Payment.objects.filter(pk=self.payment.pk)
 
@@ -69,28 +73,48 @@ class PaymentAdminViewTest(TestCase):
 
             self._give_user_permissions()
 
-            type = 'cash_payment'
-            response = self.client.get('/payment/admin/process/{}/{}/'
-                                       .format(self.payment.pk, type))
-
-            self.assertEqual(response.status_code, 302)
-            self.assertEqual(
-                response.url,
-                '/admin/payments/payment/%s/change/' % self.payment.pk
-            )
-
-            process_payment.assert_called_once_with(payment_qs, type)
-
-            messages_success.assert_called_once_with(
-                response.wsgi_request, _('Successfully processed %s.') %
-                model_ngettext(self.payment, 1)
-            )
-
-            process_payment.return_value = []
-            response = self.client.get('/payment/admin/process/{}/{}/'
-                                       .format(self.payment.pk, type))
-
-            messages_error.assert_called_once_with(
-                response.wsgi_request, _('Could not process %s.') %
-                model_ngettext(self.payment, 1)
-            )
+            with self.subTest('Send post without payload'):
+                response = self.client.post('/payment/admin/process/{}/'
+                                            .format(self.payment.pk))
+
+                self.assertEqual(response.status_code, 302)
+                self.assertEqual(
+                    response.url,
+                    '/admin/payments/payment/%s/change/' % self.payment.pk
+                )
+
+                process_payment.assert_not_called()
+                messages_error.assert_not_called()
+                messages_success.assert_not_called()
+
+            with self.subTest('Send post with successful processing'):
+                payment_type = 'cash_payment'
+                response = self.client.post('/payment/admin/process/{}/'
+                                            .format(self.payment.pk), {
+                                                'type': payment_type,
+                                            })
+
+                self.assertEqual(response.status_code, 302)
+                self.assertEqual(
+                    response.url,
+                    '/admin/payments/payment/%s/change/' % self.payment.pk
+                )
+
+                process_payment.assert_called_once_with(payment_qs, payment_type)
+
+                messages_success.assert_called_once_with(
+                    response.wsgi_request, _('Successfully processed %s.') %
+                                           model_ngettext(self.payment, 1)
+                )
+
+            with self.subTest('Send post with failed processing'):
+                process_payment.return_value = []
+                response = self.client.post('/payment/admin/process/{}/'
+                                            .format(self.payment.pk), {
+                                                'type': payment_type,
+                                            })
+
+                messages_error.assert_called_once_with(
+                    response.wsgi_request, _('Could not process %s.') %
+                                           model_ngettext(self.payment, 1)
+                )

website/payments/urls.py

@@ -6,6 +6,6 @@ from .views import PaymentAdminView
 app_name = 'payments'
 
 urlpatterns = [
-    path('admin/process/<uuid:pk>/<type>/',
+    path('admin/process/<uuid:pk>/',
          PaymentAdminView.as_view(), name='admin-process'),
 ]

website/payments/views.py

@@ -19,10 +19,14 @@ class PaymentAdminView(View):
     """
     View that processes a payment
     """
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
         payment = Payment.objects.filter(pk=kwargs['pk'])
+
+        if not ('type' in request.POST):
+            return redirect('admin:payments_payment_change', kwargs['pk'])
+
         result = services.process_payment(
-            payment, kwargs['type']
+            payment, request.POST['type']
         )
 
         if len(result) > 0: