From dda79a491fe2fb2e5cd49dcb30922f47aadb3b1b Mon Sep 17 00:00:00 2001 From: Lance Edgar Date: Tue, 11 Jul 2017 11:15:26 -0500 Subject: [PATCH] Fix bug with mobile receiving UPC lookup; require stronger perm doing a UPC lookup for mobile receiving now requires "create batch row" permissions, since the view is capable of just that --- tailbone/views/master.py | 4 +++ tailbone/views/purchasing/receiving.py | 44 +++++++++++++++----------- 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/tailbone/views/master.py b/tailbone/views/master.py index b2c3b242..39e8045e 100644 --- a/tailbone/views/master.py +++ b/tailbone/views/master.py @@ -643,6 +643,10 @@ class MasterView(View): else: grid.configure() + def mobile_row_route_url(self, route_name, **kwargs): + route_name = 'mobile.{}.{}'.format(self.get_row_route_prefix(), route_name) + return self.request.route_url(route_name, **kwargs) + def mobile_view_row(self): """ Mobile view for row items diff --git a/tailbone/views/purchasing/receiving.py b/tailbone/views/purchasing/receiving.py index f8ec7388..2638f0bb 100644 --- a/tailbone/views/purchasing/receiving.py +++ b/tailbone/views/purchasing/receiving.py @@ -232,6 +232,9 @@ class ReceivingBatchView(PurchasingBatchView): url = self.request.route_url('mobile.receiving.rows.view', uuid=row.uuid) return tags.link_to(title, url) + # TODO: this view can create new rows, with only a GET query. that should + # probably be changed to require POST; for now we just require the "create + # batch row" perm and call it good.. def mobile_lookup(self): """ Locate and/or create a row within the batch, according to the given @@ -257,26 +260,29 @@ class ReceivingBatchView(PurchasingBatchView): upc, batch.id_str, batch)) row = rows[0] - # try to locate general product by UPC; add to batch if found - product = api.get_product_by_upc(self.Session(), provided) - if not product: - product = api.get_product_by_upc(self.Session(), checked) - if product: - row = model.PurchaseBatchRow() - row.product = product - batch.add_row(row) - self.handler.refresh_row(row) + else: - # if product not even in system, add to batch anyway.. - if not row: - row = model.PurchaseBatchRow() - row.upc = provided # TODO: why not checked? how to know? - row.description = "(unknown product)" - batch.add_row(row) - self.handler.refresh_row(row) + # try to locate general product by UPC; add to batch if found + product = api.get_product_by_upc(self.Session(), provided) + if not product: + product = api.get_product_by_upc(self.Session(), checked) + if product: + row = model.PurchaseBatchRow() + row.product = product + batch.add_row(row) + self.handler.refresh_row(row) + + else: + + # if product not even in system, add to batch anyway.. + row = model.PurchaseBatchRow() + row.upc = provided # TODO: why not checked? how to know? + row.description = "(unknown product)" + batch.add_row(row) + self.handler.refresh_row(row) self.Session.flush() - return self.redirect(self.request.route_url('mobile.{}.view'.format(self.get_row_route_prefix()), uuid=row.uuid)) + return self.redirect(self.mobile_row_route_url('view', uuid=row.uuid)) def mobile_view_row(self): """ @@ -379,10 +385,10 @@ class ReceivingBatchView(PurchasingBatchView): permission_prefix = cls.get_permission_prefix() row_permission_prefix = cls.get_row_permission_prefix() - # mobile lookup + # mobile lookup (note perm; this view can create new rows) config.add_route('mobile.{}.lookup'.format(route_prefix), '/mobile{}/{{{}}}/lookup'.format(url_prefix, model_key)) config.add_view(cls, attr='mobile_lookup', route_name='mobile.{}.lookup'.format(route_prefix), - renderer='json', permission='{}.view'.format(row_permission_prefix)) + renderer='json', permission='{}.create'.format(row_permission_prefix)) # mobile mark complete config.add_route('mobile.{}.mark_complete'.format(route_prefix), '/mobile{}/{{{}}}/mark-complete'.format(url_prefix, model_key))