Add POST /db/prepaid/:id/redeemers

server/prepaids/prepaid_handler.coffee

@@ -2,6 +2,7 @@ Course = require '../courses/Course'
 Handler = require '../commons/Handler'
 hipchat = require '../hipchat'
 Prepaid = require './Prepaid'
+User = require '../users/User'
 StripeUtils = require '../lib/stripe_utils'
 utils = require '../../app/core/utils'
 
@@ -26,6 +27,7 @@ PrepaidHandler = class PrepaidHandler extends Handler
     return @getPrepaidAPI(req, res, args[2]) if relationship is 'code'
     return @createPrepaidAPI(req, res) if relationship is 'create'
     return @purchasePrepaidAPI(req, res) if relationship is 'purchase'
+    return @postRedeemerAPI(req, res, args[0]) if relationship is 'redeemers'
     super arguments...
 
   getPrepaidAPI: (req, res, code) ->
@@ -61,6 +63,30 @@ PrepaidHandler = class PrepaidHandler extends Handler
       return @sendDatabaseError(res, err) if err
       @sendSuccess(res, prepaid.toObject())
 
+  postRedeemerAPI: (req, res, prepaidID) ->
+    return @sendMethodNotAllowed(res, 'You may only POST redeemers.') if req.method isnt 'POST'
+    return @sendBadInputError(res, 'Need an object with a userID') unless req.body?.userID
+    Prepaid.findById(prepaidID).exec (err, prepaid) =>
+      return @sendDatabaseError(res, err) if err
+      return @sendNotFoundError(res) if not prepaid
+      return @sendForbiddenError(res) if prepaid.get('creator').toString() isnt req.user.id
+      return @sendForbiddenError(res) if _.size(prepaid.get('redeemers')) >= prepaid.get('maxRedeemers')
+      User.findById(req.body.userID).exec (err, user) =>
+        return @sendDatabaseError(res, err) if err
+        return @sendNotFoundError(res, 'User for given ID not found') if not user
+        userID = user.get('_id')
+        Prepaid.count {'redeemers.userID': userID}, (err, count) =>
+          return @sendDatabaseError(res, err) if err
+          return @sendSuccess(res, @formatEntity(req, prepaid)) if count
+          redeemers = _.clone(prepaid.get('redeemers') or [])
+          redeemers.push({ date: new Date(), userID: userID })
+          prepaid.set('redeemers', redeemers)
+          # Not worrying about race conditions. Worst case: overwrite one user with another.
+          # You can't end up with more than maxRedeemers in the list of redeemers.
+          prepaid.save (err, prepaid) =>
+            return @sendDatabaseError(res, err) if err
+            @sendSuccess(res, @formatEntity(req, prepaid))      
+
   createPrepaid: (user, type, maxRedeemers, properties, done) ->
     Prepaid.generateNewCode (code) =>
       return done('Database error.') unless code

test/server/functional/prepaid.spec.coffee

@@ -30,6 +30,89 @@ describe '/db/prepaid', ->
     expect(prepaid.properties?.couponID).toEqual('free')
     done()
 
+  it 'Clear database', (done) ->
+    clearModels [Course, CourseInstance, Payment, Prepaid, User], (err) ->
+      throw err if err
+      done()
+      
+  describe 'POST /db/prepaid/<id>/redeemers', ->
+
+    it 'adds a given user to the redeemers property', (done) ->
+      loginNewUser (user1) ->
+        prepaid = new Prepaid({
+          maxRedeemers: 1,
+          redeemers: [],
+          creator: user1.get('_id')
+          code: 0
+        })
+        prepaid.save (err, prepaid) ->
+          otherUser = new User()
+          otherUser.save (err, otherUser) ->
+            url = getURL("/db/prepaid/#{prepaid.id}/redeemers")
+            redeemer = { userID: otherUser.id }
+            request.post {uri: url, json: redeemer }, (err, res, body) ->
+              expect(body.redeemers.length).toBe(1)
+              expect(res.statusCode).toBe(200)
+              done()
+              
+    it 'does not allow more redeemers than maxRedeemers', (done) ->
+      loginNewUser (user1) ->
+        prepaid = new Prepaid({
+          maxRedeemers: 0,
+          redeemers: [],
+          creator: user1.get('_id')
+          code: 1
+        })
+        prepaid.save (err, prepaid) ->
+          otherUser = new User()
+          otherUser.save (err, otherUser) ->
+            url = getURL("/db/prepaid/#{prepaid.id}/redeemers")
+            redeemer = { userID: otherUser.id }
+            request.post {uri: url, json: redeemer }, (err, res, body) ->
+              expect(res.statusCode).toBe(403)
+              done()
+
+    it 'only allows the owner of the prepaid to add redeemers', (done) ->
+      loginNewUser (user1) ->
+        prepaid = new Prepaid({
+          maxRedeemers: 1000,
+          redeemers: [],
+          creator: user1.get('_id')
+          code: 2
+        })
+        prepaid.save (err, prepaid) ->
+          loginNewUser (user2) ->
+            otherUser = new User()
+            otherUser.save (err, otherUser) ->
+              url = getURL("/db/prepaid/#{prepaid.id}/redeemers")
+              redeemer = { userID: otherUser.id }
+              request.post {uri: url, json: redeemer }, (err, res, body) ->
+                expect(res.statusCode).toBe(403)
+                done()
+            
+    it 'is idempotent across prepaids collection', (done) ->
+      loginNewUser (user1) ->
+        otherUser = new User()
+        otherUser.save (err, otherUser) ->
+          prepaid1 = new Prepaid({
+            redeemers: [{userID: otherUser.get('_id')}],
+            code: 3
+          })
+          prepaid1.save (err, prepaid1) ->
+            prepaid2 = new Prepaid({
+              maxRedeemers: 10,
+              redeemers: [],
+              creator: user1.get('_id')
+              code: 4
+            })
+            prepaid2.save (err, prepaid2) ->
+              url = getURL("/db/prepaid/#{prepaid2.id}/redeemers")
+              redeemer = { userID: otherUser.id }
+              request.post {uri: url, json: redeemer }, (err, res, body) ->
+                expect(res.statusCode).toBe(200)
+                expect(body.redeemers.length).toBe(0)
+                done()
+
   it 'Clear database', (done) ->
     clearModels [Course, CourseInstance, Payment, Prepaid, User], (err) ->
       throw err if err