check limit before withdrawing

1 files changed, 22 insertions, 0 deletions

diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index a8aaa4f..4f36ba6 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -923,6 +923,13 @@ def withdraw_headless_uri(request, user):
     data = WithdrawHeadlessUri(json.loads(decode_body(request)))
     amount = Amount.parse(data.get("amount"))
     user_account = BankAccount.objects.get(user=user)
+    debt_threshold = Amount.parse(settings.TALER_MAX_DEBT)
+    if not check_transfer_allowed(
+        user_account.amount, user_account.debit, debt_threshold, amount
+    ):
+        raise DebitLimitException(
+            f"Aborting payment initiated by '{user_account.user.username}', debit limit crossed."
+        )
     op = TalerWithdrawOperation(amount=amount, withdraw_account=user_account)
     op.save()
     host = request.get_host()
@@ -1027,6 +1034,14 @@ def api_withdraw_operation(request, withdraw_id):
         return JsonResponse(dict(error="only GET and POST are allowed"), status=305)
 
 
+def check_transfer_allowed(balance, balance_is_debit, debt_limit, transfer_amount):
+    if amount_is_debit:
+        total_debt = Amount(**transfer_amount).add(balance)
+        return Amount.cmp(total_debt, debt_limit) <= 0
+    max_transfer = Amount(**balance).add(debt_limit)
+    return Amount.cmp(transfer_amount, max_transfer) <= 0
+
+
 ##
 # Serve a Taler withdrawal request; takes the amount chosen
 # by the user, and builds a response to trigger the wallet into
@@ -1039,6 +1054,13 @@ def api_withdraw_operation(request, withdraw_id):
 def start_withdrawal(request):
     user_account = BankAccount.objects.get(user=request.user)
     amount = Amount.parse(request.POST.get("kudos_amount", "not-given"))
+    debt_threshold = Amount.parse(settings.TALER_MAX_DEBT)
+    if not check_transfer_allowed(
+        user_account.amount, user_account.debit, debt_threshold, amount
+    ):
+        raise DebitLimitException(
+            f"Aborting payment initiated by '{user_account.user.username}', debit limit crossed."
+        )
     op = TalerWithdrawOperation(amount=amount, withdraw_account=user_account)
     op.save()
     return redirect("withdraw-show", withdraw_id=op.withdraw_id)