From 43cb0872ae972eada4c02b18fcf5bf36ce256f7c Mon Sep 17 00:00:00 2001
From: Arnau Casas <casassarnau@gmail.com>
Date: Sat, 28 Oct 2023 14:17:43 +0200
Subject: [PATCH] Added reject and added cookie samesite strict

---
 app/settings.py                               |  2 ++
 friends/templates/invite_friends.html         |  2 +-
 friends/views.py                              |  4 +--
 review/emails.py                              |  4 +--
 review/templates/application_list.html        | 11 +++++--
 review/templates/mails/application_invite.txt |  1 -
 ...ml => application_invite_or_waitlist.html} |  2 +-
 .../mails/application_invite_or_waitlist.txt  |  1 +
 review/views.py                               | 32 ++++++++++---------
 9 files changed, 35 insertions(+), 24 deletions(-)
 delete mode 100644 review/templates/mails/application_invite.txt
 rename review/templates/mails/{application_invite.html => application_invite_or_waitlist.html} (85%)
 create mode 100644 review/templates/mails/application_invite_or_waitlist.txt

diff --git a/app/settings.py b/app/settings.py
index 6226cba..2f98495 100644
--- a/app/settings.py
+++ b/app/settings.py
@@ -377,6 +377,8 @@
     }
 
 SESSION_COOKIE_AGE = 86400
+SESSION_COOKIE_SAMESITE = "Strict"
+CSRF_COOKIE_SAMESITE = "Strict"
 
 # Cache system
 CACHES = {
diff --git a/friends/templates/invite_friends.html b/friends/templates/invite_friends.html
index a55f97d..e054b16 100644
--- a/friends/templates/invite_friends.html
+++ b/friends/templates/invite_friends.html
@@ -3,7 +3,7 @@
 {% block invite_list_title %}
     <div class="row justify-content-between gy-2">
         <div class="col-12 col-lg-2 d-grid d-md-block">
-            <a href="{% url 'application_invite' %}?type={{ application_type.name }}&status={{ Application.STATUS_PENDING }}" class="btn btn-secondary col-12"><i class="bi bi-caret-left-fill"></i> {% translate 'Back' %}</a>
+            <a href="{% url 'application_invite' %}?type={{ application_type.name }}&status={{ Application.STATUS_PENDING }}&status={{ Application.STATUS_REJECTED }}" class="btn btn-secondary col-12"><i class="bi bi-caret-left-fill"></i> {% translate 'Back' %}</a>
         </div>
     </div>
     <h1 class="mt-3">{% translate 'Friend list invite' %}</h1>
diff --git a/friends/views.py b/friends/views.py
index 504dfcd..c14038a 100644
--- a/friends/views.py
+++ b/friends/views.py
@@ -16,7 +16,7 @@
 from friends.forms import FriendsForm
 from friends.models import FriendsCode
 from friends.tables import FriendInviteTable
-from review.emails import get_invitation_email
+from review.emails import get_invitation_or_waitlist_email
 from review.views import ReviewApplicationTabsMixin, ApplicationListInvite
 from user.mixins import LoginRequiredMixin, IsOrganizerMixin
 from django.utils.translation import gettext_lazy as _
@@ -125,7 +125,7 @@ def post(self, request, *args, **kwargs):
                     application.save()
                     log.save()
                     invited += 1
-                emails.add(get_invitation_email(request, application))
+                emails.add(get_invitation_or_waitlist_email(request, application))
             except Error:
                 error += 1
         emails = emails.send_all()
diff --git a/review/emails.py b/review/emails.py
index efcc081..18e6a39 100644
--- a/review/emails.py
+++ b/review/emails.py
@@ -21,9 +21,9 @@ def send_dubious_email(request, application, reason, name):
           bcc=[request.user.email, ], request=request).send()
 
 
-def get_invitation_email(request, application):
+def get_invitation_or_waitlist_email(request, application):
     context = {
         'application': application,
         'url': request.build_absolute_uri(reverse('home')),
     }
-    return Email(name='application_invite', context=context, to=application.user.email, request=request)
+    return Email(name='application_invite_or_waitlist', context=context, to=application.user.email, request=request)
diff --git a/review/templates/application_list.html b/review/templates/application_list.html
index 0852107..a564278 100644
--- a/review/templates/application_list.html
+++ b/review/templates/application_list.html
@@ -95,7 +95,7 @@ <h1 class="mt-3">{% translate 'Invite applications' %}</h1>
         </div>
         {% if not application_type.auto_confirm and perms|add_type:application_type.name|has_application_perm:'can_invite_application' %}
             <div class="d-grid gap-2 col-lg-6 mx-auto mt-3">
-                <a href="{% url 'application_invite' %}?type={{ application_type.name }}&status={{ Application.STATUS_PENDING }}" class="btn btn-primary">{% translate 'Invite' %}</a>
+                <a href="{% url 'application_invite' %}?type={{ application_type.name }}&status={{ Application.STATUS_PENDING }}&status={{ Application.STATUS_REJECTED }}" class="btn btn-primary">{% translate 'Invite or reject' %}</a>
             </div>
         {% endif %}
     {% else %}
@@ -108,12 +108,15 @@ <h1 class="mt-3">{% translate 'Invite applications' %}</h1>
             {% csrf_token %}
             {% include 'components/table.html' %}
             <div class="d-grid gap-2 col-lg-6 mx-auto mt-2">
-                <button class="btn btn-primary" onclick="return confirm_invite()">{% translate 'Confirm invite' %}</button>
+                <button class="btn btn-primary" name="status" value="{{ Application.STATUS_INVITED }}" onclick="return confirm_invite()">{% translate 'Confirm invite' %}</button>
             </div>
             {% block more_invites %}
                 <div class="d-grid gap-2 col-lg-6 mx-auto mt-2">
                     <a href="{% url 'invite_friends' %}?type={{ application_type.name }}" class="btn btn-secondary">{% translate 'Group by friends' %}</a>
                 </div>
+                <div class="d-grid gap-2 col-lg-6 mx-auto mt-2">
+                    <button class="btn btn-danger" name="status" value="{{ Application.STATUS_REJECTED }}" onclick="return confirm_reject()">{% translate 'Reject selected' %}</button>
+                </div>
             {% endblock %}
         </form>
         <script nonce="{{ request.csp_nonce }}">
@@ -131,6 +134,10 @@ <h1 class="mt-3">{% translate 'Invite applications' %}</h1>
                 let number_checked = get_invited_application_number()
                 return confirm(number_checked + ' {% translate 'applications will be invited. Are you sure?' %}')
             }
+            function confirm_reject() {
+                let number_checked = get_invited_application_number()
+                return confirm(number_checked + ' {% translate 'applications will be rejected. Are you sure?' %}')
+            }
             $(document).ready(() => {
                 let spots = {{ application_type.get_spots_with_attrition }};
                 let free_spots = spots - ({{ application_stats.accepted }} + {{ application_stats.invited }});
diff --git a/review/templates/mails/application_invite.txt b/review/templates/mails/application_invite.txt
deleted file mode 100644
index d9e1d34..0000000
--- a/review/templates/mails/application_invite.txt
+++ /dev/null
@@ -1 +0,0 @@
-ACTION REQUIRED for the {{ application.type.name|lower }} application
diff --git a/review/templates/mails/application_invite.html b/review/templates/mails/application_invite_or_waitlist.html
similarity index 85%
rename from review/templates/mails/application_invite.html
rename to review/templates/mails/application_invite_or_waitlist.html
index e0c87df..b0930d6 100644
--- a/review/templates/mails/application_invite.html
+++ b/review/templates/mails/application_invite_or_waitlist.html
@@ -2,7 +2,7 @@
 {% block content %}
     <p>Hi {{ application.user.first_name }},</p>
     <p>Your {{ application.type.name|lower }} application for {{ app_hack }} has been updated.</p>
-    {% if application.type.expire_invitations > 0 %}
+    {% if application.type.expire_invitations > 0 and application.status == application.STATUS_INVITED %}
         <p><strong>You have {{ application.type.expire_invitations }} days to answer, after that, your application will expire.</strong></p>
     {% endif %}
 
diff --git a/review/templates/mails/application_invite_or_waitlist.txt b/review/templates/mails/application_invite_or_waitlist.txt
new file mode 100644
index 0000000..b627cde
--- /dev/null
+++ b/review/templates/mails/application_invite_or_waitlist.txt
@@ -0,0 +1 @@
+UPDATE: {{ application.type.name|lower }} application
diff --git a/review/views.py b/review/views.py
index cb0c501..18774dd 100644
--- a/review/views.py
+++ b/review/views.py
@@ -26,7 +26,7 @@
 from application import forms
 from application.mixins import ApplicationPermissionRequiredMixin
 from application.models import Application, FileField, ApplicationLog, ApplicationTypeConfig, PromotionalCode
-from review.emails import get_invitation_email
+from review.emails import get_invitation_or_waitlist_email
 from review.filters import ApplicationTableFilter, ApplicationTableFilterWithPromotion
 from review.forms import CommentForm, DubiousApplicationForm
 from review.models import Vote, FileReview, CommentReaction
@@ -317,24 +317,26 @@ def post(self, request, *args, **kwargs):
         selection = request.POST.getlist('select')
         error = 0
         emails = EmailList()
+        new_status = request.POST.get('status', Application.STATUS_INVITED)
+        status_name = [y for x, y in Application.STATUS if x == new_status][0]
         for application in Application.objects.actual().filter(uuid__in=selection):
-            log = ApplicationLog(application=application, user=request.user, name='Invited')
-            log.changes = {'status': {'old': application.status, 'new': Application.STATUS_INVITED}}
-            application.set_status(Application.STATUS_INVITED)
-            try:
-                application.save()
-                log.save()
-                emails.add(get_invitation_email(request, application))
-            except Error:
-                error += 1
+            if application.status != new_status:
+                log = ApplicationLog(application=application, user=request.user, name=status_name)
+                log.changes = {'status': {'old': application.status, 'new': new_status}}
+                application.set_status(new_status)
+                try:
+                    application.save()
+                    log.save()
+                    emails.add(get_invitation_or_waitlist_email(request, application))
+                except Error:
+                    error += 1
         emails = emails.send_all()
         if error > 0:
-            messages.error(request, _('Invited %s, Emails sent: %s, Error: %s') %
-                           (len(selection) - error, emails or 0, error))
+            messages.error(request, _('%s %s, Emails sent: %s, Error: %s') %
+                           (status_name, len(selection) - error, emails or 0, error))
         else:
-            messages.success(request, _('Invited: %s, Emails sent: %s' % (len(selection), emails or 0)))
-        return redirect(reverse('application_list') + '?type=%s&status=%s' % (self.get_application_type(),
-                                                                              Application.STATUS_INVITED))
+            messages.success(request, _('%s: %s, Emails sent: %s' % (status_name, len(selection), emails or 0)))
+        return redirect(reverse('application_list') + '?type=%s&status=%s' % (self.get_application_type(), new_status))
 
 
 class FileReviewView(ApplicationPermissionRequiredMixin, TabsViewMixin, TemplateView):