From 120d5d47c9df8c5bae68a0d42ca13d63e5c1f3e4 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Fri, 2 Oct 2020 21:39:37 +0200
Subject: merge #6616 patch

---
 talermerchantdemos/blog/blog.py | 50 +++++++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 12 deletions(-)

(limited to 'talermerchantdemos/blog')

diff --git a/talermerchantdemos/blog/blog.py b/talermerchantdemos/blog/blog.py
index 8de3179..9ef3660 100644
--- a/talermerchantdemos/blog/blog.py
+++ b/talermerchantdemos/blog/blog.py
@@ -226,11 +226,33 @@ def render_article(article_name, data, order_id, refundable):
         refundable=refundable
     )
 
+##
+# Setup a fresh order with the backend.
+#
+# @param article_name which article the order is for
+# @param lang which language to use
+#
+def post_order(article_name,lang):
+    order = dict(
+        amount=ARTICLE_AMOUNT,
+        extra=dict(article_name=article_name,lang=lang),
+        fulfillment_url=flask.request.base_url,
+        summary="Essay: " + article_name.replace("_", " "),
+        # 10 minutes time for a refund
+        wire_transfer_deadline=dict(t_ms=1000 * int(time.time() + 15 * 30)),
+    )
+    order_resp = backend_post(
+        BACKEND_URL,
+        "private/orders",
+        dict(order=order, refund_delay=dict(d_ms=1000 * 120)))
+    return order_resp
+
+
 ##
 # Trigger a article purchase.  The logic follows the main steps:
 #
 # 1. Always check if the article was paid already, via the
-#    "/check-payment" API from the backend.
+#    "/private/orders/$ORDER_ID" API from the backend.
 # 2. If so, return the article.
 # 3. If not, redirect the browser to a page where the
 #    wallet will initiate the payment protocol.
@@ -260,17 +282,9 @@ def article(article_name, data=None):
     ##
     # First-timer; generate order first.
     if not order_id:
-        order = dict(
-            amount=ARTICLE_AMOUNT,
-            extra=dict(article_name=article_name),
-            fulfillment_url=flask.request.base_url,
-            summary="Essay: " + article_name.replace("_", " "),
-            wire_transfer_deadline=dict(t_ms=1000 * int(time.time() + 150))
-        )
-        order_resp = backend_post(
-            BACKEND_URL, "private/orders",
-            dict(order=order, refund_delay=dict(d_ms=1000 * 120))
-        )
+        if not lang:
+            err_abort(403, message="Direct access forbidden")
+        order_resp = post_order(article_name,lang)
         order_id = order_resp["order_id"]
 
     # Ask the backend for the status of the payment
@@ -278,6 +292,18 @@ def article(article_name, data=None):
         BACKEND_URL, f"private/orders/{order_id}", params=dict(session_id=session_id)
     )
     order_status = pay_status.get("order_status")
+    if order_status == "claimed":
+        if not lang:
+            err_abort(403, message="Direct access forbidden")
+        # Order already claimed, must setup fresh order
+        order_resp = post_order(article_name,lang)
+        order_id = order_resp["order_id"]
+        pay_status = backend_get(
+            BACKEND_URL, f"private/orders/{order_id}", params=dict(session_id=session_id)
+        )
+        order_status = pay_status.get("order_status")
+        # This really must be 'unpaid' now...
+
     if order_status == "paid":
         refunded = pay_status["refunded"]
         if refunded:
-- 
cgit v1.2.3