From ae1e9dba0f409a1ee507cb0fcc670c5f73eb3d91 Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Fri, 25 Mar 2022 12:33:37 -0500
Subject: [PATCH] Improve vendor validation for new receiving batch

---
 tailbone/views/purchasing/batch.py     |  6 ++++++
 tailbone/views/purchasing/receiving.py | 16 +++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/tailbone/views/purchasing/batch.py b/tailbone/views/purchasing/batch.py
index 93d7ff21..86ee057a 100644
--- a/tailbone/views/purchasing/batch.py
+++ b/tailbone/views/purchasing/batch.py
@@ -405,6 +405,12 @@ class PurchasingBatchView(BatchMasterView):
                             'vendor_contact',
                             'status_code')
 
+    def valid_vendor_uuid(self, node, value):
+        model = self.model
+        vendor = self.Session.query(model.Vendor).get(value)
+        if not vendor:
+            raise colander.Invalid(node, "Invalid vendor selection")
+
     def render_store(self, batch, field):
         store = batch.store
         if not store:
diff --git a/tailbone/views/purchasing/receiving.py b/tailbone/views/purchasing/receiving.py
index e8123406..d2fc2fc5 100644
--- a/tailbone/views/purchasing/receiving.py
+++ b/tailbone/views/purchasing/receiving.py
@@ -266,6 +266,8 @@ class ReceivingBatchView(PurchasingBatchView):
         # least will not need customization for that.
         if self.request.matched_route.name.endswith('create_workflow'):
 
+            redirect = self.redirect(self.request.route_url('{}.create'.format(route_prefix)))
+
             # however we do have one more thing to check - the workflow
             # requested must of course be valid!
             workflow_key = self.request.matchdict['workflow_key']
@@ -273,7 +275,18 @@ class ReceivingBatchView(PurchasingBatchView):
                 self.request.session.flash(
                     "Not a supported workflow: {}".format(workflow_key),
                     'error')
-                raise self.redirect(self.request.route_url('{}.create'.format(route_prefix)))
+                raise redirect
+
+            # also, we require vendor to be correctly identified.  if
+            # someone e.g. navigates to a URL by accident etc. we want
+            # to gracefully handle and redirect
+            uuid = self.request.matchdict['vendor_uuid']
+            vendor = self.Session.query(model.Vendor).get(uuid)
+            if not vendor:
+                self.request.session.flash("Invalid vendor selection.  "
+                                           "Please choose an existing vendor.",
+                                           'warning')
+                raise redirect
 
             # okay now do the normal thing, per workflow
             return super(ReceivingBatchView, self).create(**kwargs)
@@ -318,6 +331,7 @@ class ReceivingBatchView(PurchasingBatchView):
             vendors_url = self.request.route_url('vendors.autocomplete')
             form.set_widget('vendor', forms.widgets.JQueryAutocompleteWidget(
                 field_display=vendor_display, service_url=vendors_url))
+        form.set_validator('vendor', self.valid_vendor_uuid)
 
         # configure workflow field
         values = [(workflow['workflow_key'], workflow['display'])