Restrict prepaids

* For GET prepaids, ignore prepaids made before today * For POST prepaid redeemer, do not allow redeeming users made before today * For POST prepaid redeemer, disable db query for being a member of a different prepaid (not relevant since no one had paid before) * For POST prepaid redeemer, only allow for prepaids of type course
2024-11-23 23:58:02 -05:00 · 2015-11-10 16:32:31 -08:00 · 2015-11-10 16:32:31 -08:00 · 30e05f3720
commit 30e05f3720
parent 5c5db0e546
1 changed files with 31 additions and 22 deletions
--- a/server/prepaids/prepaid_handler.coffee
+++ b/server/prepaids/prepaid_handler.coffee
@ -10,6 +10,8 @@ mongoose = require 'mongoose'
 # TODO: Should this happen on a save() call instead of a prepaid/-/create post?
 # TODO: Probably a better way to create a unique 8 charactor string property using db voodoo

+cutoffID = mongoose.Types.ObjectId('5642877accc6494a01cc6bfe')
+
 PrepaidHandler = class PrepaidHandler extends Handler
  modelClass: Prepaid
  jsonSchema: require '../../app/schemas/models/prepaid.schema'
@ -65,6 +67,7 @@ PrepaidHandler = class PrepaidHandler extends Handler
      @sendSuccess(res, prepaid.toObject())

  postRedeemerAPI: (req, res, prepaidID) ->
+    return @sendForbiddenError(res) if prepaidID.toString() < cutoffID.toString()
    return @sendMethodNotAllowed(res, 'You may only POST redeemers.') if req.method isnt 'POST'
    return @sendBadInputError(res, 'Need an object with a userID') unless req.body?.userID
    Prepaid.findById(prepaidID).exec (err, prepaid) =>
@ -72,33 +75,34 @@ PrepaidHandler = class PrepaidHandler extends Handler
      return @sendNotFoundError(res) if not prepaid
      return @sendForbiddenError(res) if prepaid.get('creator').toString() isnt req.user.id
      return @sendForbiddenError(res) if _.size(prepaid.get('redeemers')) >= prepaid.get('maxRedeemers')
+      return @sendForbiddenError(res) unless prepaid.get('type') is 'course'
      User.findById(req.body.userID).exec (err, user) =>
        return @sendDatabaseError(res, err) if err
        return @sendNotFoundError(res, 'User for given ID not found') if not user
        userID = user.get('_id')
-        Prepaid.count {'redeemers.userID': userID}, (err, count) =>
-          return @sendDatabaseError(res, err) if err
-          return @sendSuccess(res, @formatEntity(req, prepaid)) if count
+#        Prepaid.count {'redeemers.userID': userID}, (err, count) =>
+#          return @sendDatabaseError(res, err) if err
+#          return @sendSuccess(res, @formatEntity(req, prepaid)) if count

-          query =
-            _id: prepaid.get('_id')
-            'redeemers.userID': { $ne: req.user.get('_id') }
-            $where: "this.redeemers.length < #{prepaid.get('maxRedeemers')}"
-          update = { $push: { redeemers : { date: new Date(), userID: userID } }}
-          Prepaid.update query, update, (err, nMatched) =>
+        query =
+          _id: prepaid.get('_id')
+          'redeemers.userID': { $ne: req.user.get('_id') }
+          $where: "this.redeemers.length < #{prepaid.get('maxRedeemers')}"
+        update = { $push: { redeemers : { date: new Date(), userID: userID } }}
+        Prepaid.update query, update, (err, nMatched) =>
+          return @sendDatabaseError(res, err) if err
+          if nMatched is 0
+            @logError(req.user, "POST prepaid redeemer lost race on maxRedeemers")
+            return @sendForbiddenError(res)
+            
+          user.set('coursePrepaidID', prepaid.get('_id'))
+          user.save (err, user) =>
            return @sendDatabaseError(res, err) if err
-            if nMatched is 0
-              @logError(req.user, "POST prepaid redeemer lost race on maxRedeemers")
-              return @sendForbiddenError(res)
-              
-            user.set('coursePrepaidID', prepaid.get('_id'))
-            user.save (err, user) =>
-              return @sendDatabaseError(res, err) if err
-              # return prepaid with new redeemer added locally
-              redeemers = _.clone(prepaid.get('redeemers') or [])
-              redeemers.push({ date: new Date(), userID: userID })
-              prepaid.set('redeemers', redeemers)
-              @sendSuccess(res, @formatEntity(req, prepaid))      
+            # return prepaid with new redeemer added locally
+            redeemers = _.clone(prepaid.get('redeemers') or [])
+            redeemers.push({ date: new Date(), userID: userID })
+            prepaid.set('redeemers', redeemers)
+            @sendSuccess(res, @formatEntity(req, prepaid))      

  createPrepaid: (user, type, maxRedeemers, properties, done) ->
    Prepaid.generateNewCode (code) =>
@ -237,7 +241,12 @@ PrepaidHandler = class PrepaidHandler extends Handler
    if creator = req.query.creator
      return @sendForbiddenError(res) unless req.user and (req.user.isAdmin() or creator is req.user.id)
      return @sendBadInputError(res, 'Bad creator') unless utils.isID creator
-      Prepaid.find {creator: mongoose.Types.ObjectId(creator)}, (err, prepaids) =>
+      q = {
+        _id: {$gt: cutoffID}
+        creator: mongoose.Types.ObjectId(creator),
+        type: 'course'
+      }
+      Prepaid.find q, (err, prepaids) =>
        return @sendDatabaseError(res, err) if err
        return @sendSuccess(res, (@formatEntity(req, prepaid) for prepaid in prepaids))
    else