Fix bug with mobile receiving UPC lookup; require stronger perm

doing a UPC lookup for mobile receiving now requires "create batch row" permissions, since the view is capable of just that
2017-07-11 11:15:26 -05:00 · 2017-07-11 11:15:26 -05:00 · dda79a491f
commit dda79a491f
parent 148cbd2f57
2 changed files with 29 additions and 19 deletions
--- a/tailbone/views/master.py
+++ b/tailbone/views/master.py
@ -643,6 +643,10 @@ class MasterView(View):
        else:
            grid.configure()
    def mobile_row_route_url(self, route_name, **kwargs):
        route_name = 'mobile.{}.{}'.format(self.get_row_route_prefix(), route_name)
        return self.request.route_url(route_name, **kwargs)
    def mobile_view_row(self):
        """
        Mobile view for row items
--- a/tailbone/views/purchasing/receiving.py
+++ b/tailbone/views/purchasing/receiving.py
@ -232,6 +232,9 @@ class ReceivingBatchView(PurchasingBatchView):
        url = self.request.route_url('mobile.receiving.rows.view', uuid=row.uuid)
        return tags.link_to(title, url)
    # TODO: this view can create new rows, with only a GET query.  that should
    # probably be changed to require POST; for now we just require the "create
    # batch row" perm and call it good..
    def mobile_lookup(self):
        """
        Locate and/or create a row within the batch, according to the given
@ -257,6 +260,8 @@ class ReceivingBatchView(PurchasingBatchView):
                        upc, batch.id_str, batch))
                row = rows[0]
            else:
                # try to locate general product by UPC; add to batch if found
                product = api.get_product_by_upc(self.Session(), provided)
                if not product:
@ -267,8 +272,9 @@ class ReceivingBatchView(PurchasingBatchView):
                    batch.add_row(row)
                    self.handler.refresh_row(row)
                else:
                    # if product not even in system, add to batch anyway..
            if not row:
                    row = model.PurchaseBatchRow()
                    row.upc = provided # TODO: why not checked? how to know?
                    row.description = "(unknown product)"
@ -276,7 +282,7 @@ class ReceivingBatchView(PurchasingBatchView):
                    self.handler.refresh_row(row)
        self.Session.flush()
-        return self.redirect(self.request.route_url('mobile.{}.view'.format(self.get_row_route_prefix()), uuid=row.uuid))
+        return self.redirect(self.mobile_row_route_url('view', uuid=row.uuid))
    def mobile_view_row(self):
        """
@ -379,10 +385,10 @@ class ReceivingBatchView(PurchasingBatchView):
        permission_prefix = cls.get_permission_prefix()
        row_permission_prefix = cls.get_row_permission_prefix()
-        # mobile lookup
+        # mobile lookup (note perm; this view can create new rows)
        config.add_route('mobile.{}.lookup'.format(route_prefix), '/mobile{}/{{{}}}/lookup'.format(url_prefix, model_key))
        config.add_view(cls, attr='mobile_lookup', route_name='mobile.{}.lookup'.format(route_prefix),
-                        renderer='json', permission='{}.view'.format(row_permission_prefix))
+                        renderer='json', permission='{}.create'.format(row_permission_prefix))
        # mobile mark complete
        config.add_route('mobile.{}.mark_complete'.format(route_prefix), '/mobile{}/{{{}}}/mark-complete'.format(url_prefix, model_key))