[GNUnet-SVN] [taler-bank] 01/02: check that the user who is rejecting a transaction was the credit party in that transaction.

[gnunet]

This is an automated email from the git hooks/post-receive script.

marcello pushed a commit to branch master
in repository bank.

commit 82cc63876601ad935495cce41346dc4e1e55fa3b
Author: Marcello Stanisci <address@hidden>
AuthorDate: Fri Dec 8 17:46:32 2017 +0100

    check that the user who is rejecting a transaction
    was the credit party in that transaction.
---
 talerbank/app/views.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index 47aced9..14c3e6e 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -451,6 +451,7 @@ def reject(request, user_account):
     try:
         validate_reject_request(data)
     except (FVE, RFVE) as exc:
+        LOGGER.error("invalid %s" % exc.fieldname)
         return JsonResponse({"error": "invalid '%s'" % exc.fieldname}, 
status=400)
     try:
         trans = BankTransaction.objects.get(id=data["row_id"])
@@ -460,7 +461,10 @@ def reject(request, user_account):
     # WARNING: here the bank must make sure 'row_id' points to
     # a transaction where the requesting user owns the credit account.
     # Not even a bug number exists on this.
-
+    if trans.credit_account.account_no != user_account.bankaccount.account_no:
+        LOGGER.error("you can only reject a transaction where you _got_ money")
+        return JsonResponse({"error": "you can only reject a transaction where 
you _got_ money"},
+                            status=401) # Unauthorized
     try:
         wire_transfer(trans.amount, user_account.bankaccount,
                       trans.debit_account, "/reject: reimbursement",

-- 
To stop receiving notification emails like this one, please contact
address@hidden