Skip to content

Commit

Permalink
Comments and permissions update and tests update
Browse files Browse the repository at this point in the history
  • Loading branch information
Bart committed Jan 8, 2018
1 parent 7b00804 commit 37601c1
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 1 deletion.
6 changes: 5 additions & 1 deletion aa_stripe/api.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from rest_framework.response import Response

from aa_stripe.models import StripeCard, StripeCoupon, StripeCustomer, StripeWebhook
from aa_stripe.permissions import IsCardOwner
from aa_stripe.serializers import (StripeCardCreateSerializer, StripeCardListSerializer, StripeCardUpdateSerializer,
StripeCouponSerializer, StripeCustomerRetriveSerializer, StripeCustomerSerializer,
StripeWebhookSerializer)
Expand Down Expand Up @@ -35,7 +36,10 @@ def get_serializer_class(self):
class StripeCardsDetailsAPI(RetrieveUpdateDestroyAPIView):
queryset = StripeCard.objects.all()
serializer_class = StripeCardListSerializer
permission_classes = (IsAuthenticated,)
permission_classes = (
IsAuthenticated,
IsCardOwner,
)
lookup_field = "stripe_card_id"

def get_serializer_class(self):
Expand Down
7 changes: 7 additions & 0 deletions aa_stripe/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,11 +127,18 @@ def create_at_stripe(self):

def update_at_stripe(self, stripe_token, set_default):
is_default = self.customer.default_card.pk is self.pk
# When the card is not the default card we need to change
# the default_source attribute before setting the source attribute on customer
# because setting source attribute will overwrite the default_source
# and we do not allow unsetting the default card hence
# we overwrite set_default here if card is default
set_default = is_default if not set_default else set_default

stripe.api_key = stripe_settings.API_KEY

customer = stripe.Customer.retrieve(self.customer.stripe_customer_id)
# When a card is updated with setting source_token to source field on customer
# Stripe is genereating new card id for the card
new_card_id = None

if not is_default and set_default:
Expand Down
9 changes: 9 additions & 0 deletions aa_stripe/permissions.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# -*- coding: utf-8 -*-
from rest_framework.permissions import BasePermission

from aa_stripe.models import StripeCustomer


class IsCardOwner(BasePermission):
def has_object_permission(self, request, view, obj):
return obj.customer == StripeCustomer.get_latest_active_customer_for_user(request.user)
21 changes: 21 additions & 0 deletions tests/test_cards.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ def setUp(self):
def test_delete(self, m):
self._setup_customer_api_mock(m)
card = self._get_new_random_card()
second_card = self._get_new_random_card(False)
url = reverse("stripe-customers-cards-details", args=[card.stripe_card_id])
response = self.client.delete(url)
self.assertEqual(response.status_code, 403)
Expand Down Expand Up @@ -179,6 +180,13 @@ def test_delete(self, m):
self.assertEqual(response.status_code, 204)
self.assertTrue(StripeCard.objects.deleted().filter(pk=card.pk).exists())

self._create_user(3)
self._create_customer("cus_abcd")
self.client.force_authenticate(user=self.user)
url = reverse("stripe-customers-cards-details", args=[second_card.stripe_card_id])
response = self.client.delete(url)
self.assertEqual(response.status_code, 403)

def test_create_card(self):
self.assertEqual(StripeCard.objects.count(), 0)
url = reverse("stripe-customers-cards")
Expand Down Expand Up @@ -316,6 +324,10 @@ def test_get_card(self):
self.assertEqual(response.data["stripe_card_id"], card_2.stripe_card_id)
self.assertNotEqual(response.data["stripe_card_id"], card_1.stripe_card_id)

url = reverse("stripe-customers-cards-details", args=[card_1.stripe_card_id])
response = self.client.get(url)
self.assertEqual(response.status_code, 403)

def test_update_card(self):
not_existing_stripe_card_id = self._stripe_card_id()
url = reverse("stripe-customers-cards-details", args=[not_existing_stripe_card_id])
Expand Down Expand Up @@ -375,3 +387,12 @@ def test_update_card(self):
}])
response = self.client.patch(url, data, format="json")
self.assertEqual(response.status_code, return_code)

card_to_be_updated.refresh_from_db()
self._create_user(3)
self._create_customer("cus_abcd")
self.client.force_authenticate(user=self.user)
url = reverse("stripe-customers-cards-details", args=[card_to_be_updated.stripe_card_id])
data = {"stripe_token": "tok_amex", "set_default": set_default}
response = self.client.patch(url, data, format="json")
self.assertEqual(response.status_code, 403)

0 comments on commit 37601c1

Please sign in to comment.