-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add online RIGS authorisation #283
Conversation
Add EventAuthorisation model + migrations Add authorised property to Event. Add appropriate tests
Add forms, views, templates and URLs. Remove created at in favour of the built in versioning as that's much more accurate. Switch to a OneToOneField with EventAuthorisation -> event as a result of this. Move validation from models to forms where it probably belongs. Provide more descriptive errors. Add success page for authorisation.
Enable RevisionMixin for EventAuthorisation. Add signal receivers for RIGS. Expand RIGS into an explicitly defined app to support signals.
Add backup email if there isn't an MIC
Add email sending methods. Add TEC side sending of emails.
PDFs now state QUOTE, INVOICE or RECEIPT. Single copy and all but INVOICE includes terms of hire.
I used python 3 syntax, we aren't yet using python 3...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the whole I think this looks good. Needs more testing by teccies once treasury approves it though.
Some bugs I noticed:
-
Confirmation email does not at '£' before cost, and does not add decimal places. e.g. £1140.00 shows as just 1140
-
Click "Authorisation Request", type an invalid email and submit, it's then impossible to submit again
RIGS/forms.py
Outdated
|
||
|
||
class BaseClientEventAuthorisationForm(forms.ModelForm): | ||
tos = forms.BooleanField(required=True, label="Terms of hire") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting required=true
is not enough validation for this field. I can just edit the HTML form to make the checkbox into a text field, and then I don't even have to put any text in the box for it to be accepted. Should be as simple as just adding an if(tos==true) statement to the clean
function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorrect, both in testing and according to the docs, required=True
on a BooleanField validation ensures that the value=True
as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, I suspect the reason this happens is
test = 'no I don't accept'
if test:
print("They accepted")
But I think it's reasonable to assume clients won't mess with the HTML form, so this is a non-issue
RIGS/forms.py
Outdated
|
||
def clean(self): | ||
if self.cleaned_data.get('amount') != self.instance.event.total: | ||
self.add_error('amount', 'The amount authorised must equal the total for the event.') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest "The amount authorised must equal the total for the event (inc VAT)" for absolute clarity
event = models.OneToOneField('Event', related_name='authorisation') | ||
email = models.EmailField() | ||
name = models.CharField(max_length=255) | ||
uni_id = models.CharField(max_length=10, blank=True, null=True, verbose_name="University ID") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do SU staff have Uni ID numbers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Despite even Ollie saying they did, having just asked Niki, they don't. This could be an issue.
@@ -1,16 +1,18 @@ | |||
import os |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ewww, why was this here!
RIGS/rigboard.py
Outdated
buffer = StringIO.StringIO() | ||
|
||
buffer = rml2pdf.parseString(rml) | ||
context = RequestContext(request, { # this should be outside the loop, but bug in 1.8.2 prevents this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the now un-necessary comment
{% endif %} | ||
{% endif %} | ||
</div> | ||
{% include 'RIGS/event_detail_buttons.html' %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm glad this has finally been done!
<a class="btn btn-default item-add modal-href event-authorise-request" | ||
href="{% url 'event_authorise_request' object.pk %}"> | ||
<span class="glyphicon glyphicon-send"></span> | ||
Authorisation Request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think we need more context on this button than just colours - otherwise teccies may send many duplicate emails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was a tricky one, because by design you can send many emails, this was just to provide feedback that the email had been sent successfully when submitting an address. As it stands RIGS doesn't track when an email has been sent to reduce DB storage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should track this, waaay too much potential for teccie fail otherwise. It's not like we're short of database shortage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not against tracking ti for DB storage, wrong phrasing, more complexity of models, which would rapidly grow to have many to many relationships. As I said, current system is stateless, using HMAC. I don't think it would be an issue, but if it is then we can look into it again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. How about sending an email to the teccy when the client gets sent one (obvs without the secret URL)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would work, but in your scenario the teccie is confused that the email has not been sent, so will just send it again, probably without checking their own email first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, thinking about this further I did consider not autoclosing the modal and instead displaying a success alert informing the user to do this manually. That would be much more verbose, but also more annoying
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An idea I just had: how about just adding "Last sent to", "Last sent at" and "last_sent_by" fields to the EventAuthorisation model. Update those whenever a teccie presses "send", and the history will be kept by reversion
|
||
{{request.scheme}}://{{request.get_host}}{% url 'event_authorise' object.pk hmac %} | ||
|
||
The TEC Rig Information Gathering System |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think this needs a "PLEASE DO NOT RESPOND TO THIS ADDRESS"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I always think that looks god awful, so I've set the reply-to address to something sensible now so theoretically we should never have a problem.
I would also suggest setting rigs@nottinghamtec.co.uk to forward somewhere sensible (productions or it, one or the other)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with just setting the reply-to, but just remember if they do reply to the email and it goes to the teccie, the teccie then has the super secret URL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, well aware of that, but at that point, thats their problem for disclosing the secret URL, we have taken reasonable measures already.
Your event is now fully booked and our finance department will be contact to arrange payment. | ||
{% endif %} | ||
|
||
The TEC Rig Information Gathering System |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think this needs a "PLEASE DO NOT RESPOND TO THIS ADDRESS"
|
||
<div class="form-group"> | ||
<label class="col-sm-2 control-label" | ||
for="{{ form.email.id_for_label }}">{{ form.email.label }}</label> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This popup needs more warnings.
YOU ARE ABOUT TO SEND THIS TO A CLIENT, QUADRUPLE CHECK ALL THE THINGS, DON'T BE A MORON
The client will be able to see all contact info, event items, the event title, the event description (not notes), and the MIC name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to bring out the 'delete invoice' UI for sending emails now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Preferably yes 🎉
Noticed in testing, that could have gone badly.
88cdbb4
to
843fa7c
Compare
843fa7c
to
99e7878
Compare
99e7878
to
b4ab293
Compare
# Conflicts: # RIGS/test_functional.py
This effectively reverts 067e03b.
Actually finish fixing PDF footer formatting.
Changes from using signed paperwork to an online interface for clients to authorise the rig via a secure HMAC link.
Process is as follows:
This directly closes #228, and indirectly closes #282 and #195.
Merge notes: