1 files changed, 10 insertions, 6 deletions

diff --git a/talerblog/blog/blog.py b/talerblog/blog/blog.py
index fc39150..a0a9784 100644
--- a/talerblog/blog/blog.py
+++ b/talerblog/blog/blog.py
@@ -207,14 +207,20 @@ def confirm_refund(order_id):
 #         the refund protocol in a transparent way.
 @app.route("/refund/<order_id>", methods=["POST"])
 def refund(order_id):
-    article_name = flask.request.form.get("article_name")
-    if not article_name:
-        return flask.jsonify(dict(error="No article_name found in form")), 400
-    LOGGER.info("Looking for %s to refund" % article_name)
     if not order_id:
         return flask.jsonify(
             dict(error="Aborting refund: article not payed")
         ), 401
+    session_id = flask.session.get("session_id", "")
+    pay_params = dict(order_id=order_id, session_id=session_id)
+    pay_status = backend_get("check-payment", pay_params)
+    if not pay_status.paid:
+        err_abort(
+            402,
+            message="You did not pay for this article (nice try!)",
+            json=pay_status
+        )
+    article_name = pay_status["contract_terms"]["extra"]["article_name"]
     refund_spec = dict(
         order_id=order_id,
         reason="Demo reimbursement",
@@ -223,8 +229,6 @@ def refund(order_id):
     resp = backend_post("refund", refund_spec)
     try:
         # delete from paid article cache
-        article_name = resp["contract_terms"]["extra"]["article_name"]
-        session_id = flask.session.get("session_id", "")
         paid_articles_cache.delete(session_id + "-" + article_name)
         taler_refund_uri = resp["taler_refund_uri"]
         qrcode_svg = get_qrcode_svg(taler_refund_uri)