diff options
author | Florian Dold <florian.dold@gmail.com> | 2019-12-19 11:43:35 +0100 |
---|---|---|
committer | Florian Dold <florian.dold@gmail.com> | 2019-12-19 11:43:35 +0100 |
commit | 0a2cc0a9b519ba5a4ee2ff0b73137c7e7846180b (patch) | |
tree | 0e8b3690c6d805a37a9d8aecbb60f8c24b995e21 /talerbank/app/views.py | |
parent | 45bb124b81d94938483a932338137465e6876a91 (diff) | |
download | bank-0a2cc0a9b519ba5a4ee2ff0b73137c7e7846180b.tar.gz bank-0a2cc0a9b519ba5a4ee2ff0b73137c7e7846180b.tar.bz2 bank-0a2cc0a9b519ba5a4ee2ff0b73137c7e7846180b.zip |
check limit before withdrawing
Diffstat (limited to 'talerbank/app/views.py')
-rw-r--r-- | talerbank/app/views.py | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/talerbank/app/views.py b/talerbank/app/views.py index a8aaa4f..4f36ba6 100644 --- a/talerbank/app/views.py +++ b/talerbank/app/views.py @@ -923,6 +923,13 @@ def withdraw_headless_uri(request, user): data = WithdrawHeadlessUri(json.loads(decode_body(request))) amount = Amount.parse(data.get("amount")) user_account = BankAccount.objects.get(user=user) + debt_threshold = Amount.parse(settings.TALER_MAX_DEBT) + if not check_transfer_allowed( + user_account.amount, user_account.debit, debt_threshold, amount + ): + raise DebitLimitException( + f"Aborting payment initiated by '{user_account.user.username}', debit limit crossed." + ) op = TalerWithdrawOperation(amount=amount, withdraw_account=user_account) op.save() host = request.get_host() @@ -1027,6 +1034,14 @@ def api_withdraw_operation(request, withdraw_id): return JsonResponse(dict(error="only GET and POST are allowed"), status=305) +def check_transfer_allowed(balance, balance_is_debit, debt_limit, transfer_amount): + if amount_is_debit: + total_debt = Amount(**transfer_amount).add(balance) + return Amount.cmp(total_debt, debt_limit) <= 0 + max_transfer = Amount(**balance).add(debt_limit) + return Amount.cmp(transfer_amount, max_transfer) <= 0 + + ## # Serve a Taler withdrawal request; takes the amount chosen # by the user, and builds a response to trigger the wallet into @@ -1039,6 +1054,13 @@ def api_withdraw_operation(request, withdraw_id): def start_withdrawal(request): user_account = BankAccount.objects.get(user=request.user) amount = Amount.parse(request.POST.get("kudos_amount", "not-given")) + debt_threshold = Amount.parse(settings.TALER_MAX_DEBT) + if not check_transfer_allowed( + user_account.amount, user_account.debit, debt_threshold, amount + ): + raise DebitLimitException( + f"Aborting payment initiated by '{user_account.user.username}', debit limit crossed." + ) op = TalerWithdrawOperation(amount=amount, withdraw_account=user_account) op.save() return redirect("withdraw-show", withdraw_id=op.withdraw_id) |