February update (#767)

* created endpoint for listing and destroying orders

* Infrastructure as Code using terraform (#684)

* feat: initial terraform

* chore: add basic documentation

* chore: more documentation

* Added IaC setup for Lepton

* added checov github action

* chekov allow softfail

* chore: database name

* hack to allow azure container apps managed certificates

* small changes

* tweeking values

* chore: revert changes to makefile

* chore: make format

* chore: bump build actions (#755)

* Feat(payment)/orders (#757)

* added filtersearch

* added filter

* added filter and listing

* Add status field to the ordering filter and fix retrieve method in OrderViewSet

* Refactor order filters and views

* Add is_index_user function to check if user is in Index

* Refactor order factory and serializers, add update endpoint for orders

* Add admin group user permission to order views and tests

* added permission checks for order model and removed from order viewset (#760)

* added permission checks for order model and removed from order viewset

* format

* fixed string representation for orders (#764)

* removed bug that deleted paid event if event is updated. added more i… (#765)

* removed bug that deleted paid event if event is updated. added more info to paid_event in adminpanel

* format

* Update CHANGELOG.md (#766)

---------

Co-authored-by: Martin Clementz <[email protected]>

.github/workflows/deploy_to_azure.yml

@@ -27,10 +27,10 @@ jobs:
 
     - name: Set up Docker Buildx
       id: buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v3
 
     - name: Cache Docker layers
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: /tmp/.buildx-cache
         key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -39,7 +39,7 @@ jobs:
 
     - name: Build and push
       id: docker_build
-      uses: docker/build-push-action@v2
+      uses: docker/build-push-action@v5
       with:
         context: ./
         file: ./compose/Dockerfile

.github/workflows/terraform.yml

@@ -0,0 +1,39 @@
+name: Validate Infrastructure
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - dev
+      - master
+
+jobs:
+  checkov:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Checkov GitHub Action
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          # This will add both a CLI output to the console and create a results.sarif file
+          output_format: sarif
+          framework: terraform
+          soft_fail: true
+          output_file_path: results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+
+        # Results are generated only on a success or failure
+        # this is required since GitHub by default won't run the next step
+        # when the previous one has failed. Security checks that do not pass will 'fail'.
+        # An alternative is to add `continue-on-error: true` to the previous step
+        # Or 'soft_fail: true' to checkov.
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -26,3 +26,6 @@ mysite.log
 .coverage
 
 celerybeat-schedule
+
+.terraform
+*.tfvars

CHANGELOG.md

@@ -14,6 +14,9 @@
 
 ## Neste versjon
 
+## Versjon 2023.02.07
+- 🦟 **Vipps** Brukere kan nå oppdatere betalt arrangement, uten at det betalte arrangementet blir slettet.
+
 ## Versjon 2023.01.15
 - ✨ **Reaksjoner** Brukere kan reagere med emojier på arrangementer og nyheter.
 - 🎨 **JubKom Rettigheter** Medlemmer av JubKom kan ikke lenger lage arrangementer.

Makefile

@@ -6,20 +6,20 @@ help: ## This help.
 
 .PHONY: start
 start: ## Start the webserver with docker on http://localhost:8000
-	docker-compose up
+	docker compose up
 
 .PHONY: down
 down: ## Take down server
-	docker-compose down -v
+	docker compose down -v
 
 .PHONY: restart
 restart: ## Rebuild and start the server
-	docker-compose build
+	docker compose build
 	make start
 
 .PHONY: fresh
 fresh: ## Perform a fresh build, install and start the server
-	docker-compose build
+	docker compose build
 	make makemigrations
 	make migrate
 	make loaddata
@@ -28,16 +28,16 @@ fresh: ## Perform a fresh build, install and start the server
 
 .PHONY: createsuperuser
 createsuperuser: ## Create a new django superuser
-	docker-compose run --rm web python manage.py createsuperuser
+	docker compose run --rm web python manage.py createsuperuser
 
 
 .PHONY: makemigrations
 makemigrations: ## Create migration files
-	docker-compose run --rm web python manage.py makemigrations
+	docker compose run --rm web python manage.py makemigrations
 
 .PHONY: migrate
 migrate: ## Run django migrations
-	docker-compose run --rm web python manage.py migrate ${args}
+	docker compose run --rm web python manage.py migrate ${args}
 
 .PHONY: migrations
 migrations: ## Create migration-files and migrate immediately
@@ -46,23 +46,23 @@ migrations: ## Create migration-files and migrate immediately
 
 .PHONY: dumpdata
 dumpdata: ## Dump current data stored into ./app/fixture.json
-	docker-compose run --rm web python manage.py dumpdata -e admin -e auth.Permission -e contenttypes --indent=4 > ./app/fixture.json
+	docker compose run --rm web python manage.py dumpdata -e admin -e auth.Permission -e contenttypes --indent=4 > ./app/fixture.json
 
 .PHONY: loaddata
 loaddata: ## Load fixtures from ./app/fixture.json into the database
-	docker-compose run --rm web python manage.py loaddata ./app/fixture.json
+	docker compose run --rm web python manage.py loaddata ./app/fixture.json
 
 .PHONY: collectstatic
 collectstatic: ## Collect static files to a single location to be served in production
-	docker-compose run --rm web python manage.py collectstatic
+	docker compose run --rm web python manage.py collectstatic
 
 .PHONY: test
 test: ## Run test suite
-	docker-compose run --rm web pytest ${args}
+	docker compose run --rm web pytest ${args}
 
 .PHONY: cov
 cov: ## Check test coverage
-	docker-compose run --rm web pytest --cov-config=.coveragerc --cov=app
+	docker compose run --rm web pytest --cov-config=.coveragerc --cov=app
 
 .PHONY: format
 format: ## Format code and imports
@@ -77,15 +77,15 @@ check: ## Check formatting, imports and linting
 
 .PHONY: black
 black: ## Format code only
-	docker-compose run --rm web black app/ ${args} --exclude migrations
+	docker compose run --rm web black app/ ${args} --exclude migrations
 
 .PHONY: isort
 isort: ## Format imports only
-	docker-compose run --rm web isort . ${args}
+	docker compose run --rm web isort . ${args}
 
 .PHONY: flake8
 flake8: ## Fheck code style
-	docker-compose run --rm web flake8 app
+	docker compose run --rm web flake8 app
 
 .PHONY: pr
 pr: ## Pull Request format and checks
@@ -96,4 +96,4 @@ pr: ## Pull Request format and checks
 
 .PHONY: shell
 shell: ## Open an interactive Django shell
-	docker-compose run --rm web python manage.py shell
+	docker compose run --rm web python manage.py shell

app/common/permissions.py

@@ -142,6 +142,17 @@ def is_admin_user(request):
     return check_has_access(AdminGroup.admin(), request)
 
 
+def is_index_user(request):
+    set_user_id(request)
+    """Checks if user is in Index"""
+    user_id = request.user
+
+    if user_id is None:
+        return False
+
+    return check_has_access([AdminGroup.INDEX], request)
+
+
 def is_admin_group_user(request):
     set_user_id(request)
     """Checks if user is in HS, Index, Nok, Promo, Sosialen or Kok"""

app/content/serializers/event.py

@@ -5,10 +5,6 @@
 
 from app.common.enums import GroupType
 from app.common.serializers import BaseModelSerializer
-from app.content.exceptions import (
-    APIEventCantBeChangedToPaidEventException,
-    APIPaidEventCantBeChangedToFreeEventException,
-)
 from app.content.models import Event, PriorityPool
 from app.content.serializers.priority_pool import (
     PriorityPoolCreateSerializer,
@@ -210,26 +206,27 @@ def update_queue(self, event, limit, instance_limit):
         if limit_difference < 0:
             event.move_users_from_queue_to_waiting_list(abs(limit_difference))
 
-    def update_from_paid_to_free(self, event, paid_information_data):
+    def update_from_free_to_paid(self, event, paid_information_data):
         if paid_information_data and not event.is_paid_event:
             if event.has_participants:
-                raise APIEventCantBeChangedToPaidEventException()
+                return
 
             PaidEvent.objects.create(
                 event=event,
                 price=paid_information_data["price"],
                 paytime=paid_information_data["paytime"],
             )
 
-    def update_from_free_to_paid(self, event, paid_information_data):
+    def update_from_paid_to_free(self, event, paid_information_data):
         if event.is_paid_event:
-            if not len(paid_information_data) and event.has_participants:
-                raise APIPaidEventCantBeChangedToFreeEventException()
+            if event.has_participants:
+                return
 
-            paid_event = PaidEvent.objects.filter(event=event)
-            if paid_event:
-                paid_event.first().delete()
-                event.paid_information = None
+            if not len(paid_information_data):
+                paid_event = PaidEvent.objects.filter(event=event)
+                if paid_event:
+                    paid_event.first().delete()
+                    event.paid_information = None
 
     def update_priority_pools(self, event, priority_pools_data):
         event.priority_pools.all().delete()

app/content/serializers/user.py

@@ -174,7 +174,7 @@ def get_fields(self):
 
 class UserPermissionsSerializer(serializers.ModelSerializer):
     permissions = DRYGlobalPermissionsField(
-        actions=["write", "write_all", "read", "destroy"]
+        actions=["write", "write_all", "read", "destroy", "update", "retrieve"]
     )
 
     class Meta:

app/content/views/event.py

@@ -81,7 +81,9 @@ def _list_queryset(self):
                     .filter(~Q(category=category))
                     .order_by("-start_date")
                 )
-            return self.queryset.filter(end_date__gte=time).filter(~Q(category=category))
+            return self.queryset.filter(end_date__gte=time).filter(
+                ~Q(category=category)
+            )
 
         return self.queryset.filter(end_date__gte=time)
 

app/payment/factories/order_factory.py

@@ -1,5 +1,3 @@
-import random
-
 import factory
 from factory.django import DjangoModelFactory
 
@@ -15,5 +13,5 @@ class Meta:
 
     user = factory.SubFactory(UserFactory)
     event = factory.SubFactory(EventFactory)
-    status = random.choice([e.value for e in OrderStatus])
+    status = OrderStatus.INITIATE
     payment_link = factory.Faker("url")

app/payment/filters/order.py

@@ -0,0 +1,13 @@
+from django_filters.rest_framework import FilterSet, OrderingFilter
+
+from app.payment.models import Order
+
+
+class OrderFilter(FilterSet):
+    """Filters orders"""
+
+    ordering = OrderingFilter(fields=("created_at",))
+
+    class Meta:
+        model = Order
+        fields = ["event", "status"]

app/payment/models/order.py

@@ -3,7 +3,12 @@
 from django.db import models
 
 from app.common.enums import AdminGroup
-from app.common.permissions import BasePermissionModel
+from app.common.permissions import (
+    BasePermissionModel,
+    is_admin_group_user,
+    is_admin_user,
+    is_index_user,
+)
 from app.content.models.event import Event
 from app.content.models.user import User
 from app.payment.enums import OrderStatus
@@ -31,4 +36,32 @@ class Meta:
         ordering = ("-created_at",)
 
     def __str__(self):
-        return f"{self.user} - {self.event.title} - {self.status} - {self.created_at}"
+        return f"{self.user} - {self.event.title if self.event else ['slettet']} - {self.status} - {self.created_at}"
+
+    @classmethod
+    def has_update_permission(cls, request):
+        return is_admin_user(request)
+
+    @classmethod
+    def has_destroy_permission(cls, request):
+        return is_index_user(request)
+
+    @classmethod
+    def has_retrieve_permission(cls, request):
+        return is_admin_group_user(request)
+
+    @classmethod
+    def has_read_permission(cls, request):
+        return is_admin_group_user(request)
+
+    def has_object_read_permission(self, request):
+        return self.has_read_permission(request)
+
+    def has_object_update_permission(self, request):
+        return self.has_update_permission(request)
+
+    def has_object_destroy_permission(self, request):
+        return self.has_destroy_permission(request)
+
+    def has_object_retrieve_permission(self, request):
+        return self.has_retrieve_permission(request)

app/payment/models/paid_event.py

@@ -21,4 +21,6 @@ class Meta:
         verbose_name_plural = "Paid_events"
 
     def __str__(self):
-        return f"Price: {self.price}"
+        return (
+            f"Event: {self.event.title} - Price: {self.price} - Paytime: {self.paytime}"
+        )

app/payment/serializers/__init__.py

@@ -2,4 +2,6 @@
     OrderSerializer,
     OrderCreateSerializer,
     VippsOrderSerialzer,
+    OrderListSerializer,
+    OrderUpdateSerializer,
 )