Move pay views under /user/username/{bill, address, order, ...}

uncloud_django_based/uncloud/uncloud_pay/views.py

@@ -18,28 +18,25 @@ from .serializers import *
 from datetime import datetime
 from vat_validator import sanitize_vat
 import uncloud_pay.stripe as uncloud_stripe
+from uncloud_auth.helpers import IsOwnerOrAdmin
 
 logger = logging.getLogger(__name__)
 
+# FIXME: user resolution from user_pk field might fail if queried for
+# non-existing username by an admin. It should return 404 instead.
+
 ###
 # Payments and Payment Methods.
 
 class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = PaymentSerializer
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
 
     def get_queryset(self):
-        return Payment.objects.filter(owner=self.request.user)
-
-class OrderViewSet(viewsets.ReadOnlyModelViewSet):
-    serializer_class = OrderSerializer
-    permission_classes = [permissions.IsAuthenticated]
-
-    def get_queryset(self):
-        return Order.objects.filter(owner=self.request.user)
+        return Payment.objects.filter(owner__username=self.kwargs['user_pk'])
 
 class PaymentMethodViewSet(viewsets.ModelViewSet):
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
 
     def get_serializer_class(self):
         if self.action == 'create':
@@ -52,21 +49,22 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
             return PaymentMethodSerializer
 
     def get_queryset(self):
-        return PaymentMethod.objects.filter(owner=self.request.user)
+        return PaymentMethod.objects.filter(owner__username=self.kwargs['user_pk'])
 
     # XXX: Handling of errors is far from great down there.
     @transaction.atomic
-    def create(self, request):
+    def create(self, request, user_pk):
+        user = get_user_model().objects.get(user_pk)
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
 
         # Set newly created method as primary if no other method is.
-        if PaymentMethod.get_primary_for(request.user) == None:
+        if PaymentMethod.get_primary_for(user) == None:
             serializer.validated_data['primary'] = True
 
         if serializer.validated_data['source'] == "stripe":
             # Retrieve Stripe customer ID for user.
-            customer_id = uncloud_stripe.get_customer_id_for(request.user)
+            customer_id = uncloud_stripe.get_customer_id_for(user)
             if customer_id == None:
                 return Response(
                     {'error': 'Could not resolve customer stripe ID.'},
@@ -79,7 +77,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
                     status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
             payment_method = PaymentMethod.objects.create(
-                    owner=request.user,
+                    owner=user,
                     stripe_setup_intent_id=setup_intent.id,
                     **serializer.validated_data)
 
@@ -90,11 +88,11 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
             stripe_registration_url = reverse('api-root', request=request) + path
             return Response({'please_visit': stripe_registration_url})
         else:
-           serializer.save(owner=request.user, **serializer.validated_data)
+           serializer.save(owner=user, **serializer.validated_data)
            return Response(serializer.data)
 
     @action(detail=True, methods=['post'])
-    def charge(self, request, pk=None):
+    def charge(self, request, pk=None, user_pk=None):
         payment_method = self.get_object()
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
@@ -107,7 +105,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
             return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
     @action(detail=True, methods=['get'], url_path='register-stripe-cc', renderer_classes=[TemplateHTMLRenderer])
-    def register_stripe_cc(self, request, pk=None):
+    def register_stripe_cc(self, request, pk=None, user_pk=None):
         payment_method = self.get_object()
 
         if payment_method.source != 'stripe':
@@ -143,7 +141,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
         return Response(template_args, template_name='stripe-payment.html.j2')
 
     @action(detail=True, methods=['post'], url_path='activate-stripe-cc')
-    def activate_stripe_cc(self, request, pk=None):
+    def activate_stripe_cc(self, request, pk=None, user_pk=None):
         payment_method = self.get_object()
         try:
             setup_intent = uncloud_stripe.get_setup_intent(
@@ -165,9 +163,10 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
             return Response({'error': error})
 
     @action(detail=True, methods=['post'], url_path='set-as-primary')
-    def set_as_primary(self, request, pk=None):
+    def set_as_primary(self, request, pk=None, user_pk=None):
+        user = get_user_model().objects.get(user_pk)
         payment_method = self.get_object()
-        payment_method.set_as_primary_for(request.user)
+        payment_method.set_as_primary_for(user)
 
         serializer = self.get_serializer(payment_method)
         return Response(serializer.data)
@@ -177,28 +176,24 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
 
 class BillViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = BillSerializer
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
 
     def get_queryset(self):
-        return Bill.objects.filter(owner=self.request.user)
-
-    def unpaid(self, request):
-        return Bill.objects.filter(owner=self.request.user, paid=False)
-
+        return Bill.objects.filter(owner__username=self.kwargs['user_pk'])
 
 class OrderViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderSerializer
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
 
     def get_queryset(self):
-        return Order.objects.filter(owner=self.request.user)
+        return Order.objects.filter(owner__username=self.kwargs['user_pk'])
 
 class BillingAddressViewSet(mixins.CreateModelMixin,
         mixins.RetrieveModelMixin,
         mixins.UpdateModelMixin,
         mixins.ListModelMixin,
         viewsets.GenericViewSet):
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
 
     def get_serializer_class(self):
         if self.action == 'update':
@@ -207,16 +202,17 @@ class BillingAddressViewSet(mixins.CreateModelMixin,
             return BillingAddressSerializer
 
     def get_queryset(self):
-        return self.request.user.billingaddress_set.all()
+        return BillingAddress.objects.filter(owner__username=self.kwargs['user_pk'])
+
+    def create(self, request, user_pk):
+        user = get_user_model().objects.get(username=user_pk)
 
-    def create(self, request):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
 
         # Validate VAT numbers.
         country = serializer.validated_data["country"]
         vat_number = serializer.validated_data["vat_number"]
-
         # We ignore empty VAT numbers.
         if vat_number != "":
             if not validate_vat(country, vat_number):
@@ -238,7 +234,7 @@ class BillingAddressViewSet(mixins.CreateModelMixin,
                             status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 
-        serializer.save(owner=request.user)
+        serializer.save(owner=user)
         return Response(serializer.data)
 
 ###