gnunet-svn
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [taler-bank] branch master updated (510f10c -> 921e2d3)


From: gnunet
Subject: [GNUnet-SVN] [taler-bank] branch master updated (510f10c -> 921e2d3)
Date: Fri, 08 Dec 2017 17:48:01 +0100

This is an automated email from the git hooks/post-receive script.

marcello pushed a change to branch master
in repository bank.

    from 510f10c  remove duplicate /reject handlers + allowing slower db work 
of /history
     new 82cc638  check that the user who is rejecting a transaction was the 
credit party in that transaction.
     new 921e2d3  remove comment

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 talerbank/app/views.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index 47aced9..b222aa6 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -451,16 +451,17 @@ def reject(request, user_account):
     try:
         validate_reject_request(data)
     except (FVE, RFVE) as exc:
+        LOGGER.error("invalid %s" % exc.fieldname)
         return JsonResponse({"error": "invalid '%s'" % exc.fieldname}, 
status=400)
     try:
         trans = BankTransaction.objects.get(id=data["row_id"])
     except BankTransaction.DoesNotExist:
         return JsonResponse({"error": "unknown transaction"}, status=404)
 
-    # WARNING: here the bank must make sure 'row_id' points to
-    # a transaction where the requesting user owns the credit account.
-    # Not even a bug number exists on this.
-
+    if trans.credit_account.account_no != user_account.bankaccount.account_no:
+        LOGGER.error("you can only reject a transaction where you _got_ money")
+        return JsonResponse({"error": "you can only reject a transaction where 
you _got_ money"},
+                            status=401) # Unauthorized
     try:
         wire_transfer(trans.amount, user_account.bankaccount,
                       trans.debit_account, "/reject: reimbursement",

-- 
To stop receiving notification emails like this one, please contact
address@hidden



reply via email to

[Prev in Thread] Current Thread [Next in Thread]