From 5e2d5e659c5b902282747cf9172fa2b408505fac Mon Sep 17 00:00:00 2001
From: redfast00 <redfast00@gmail.com>
Date: Wed, 11 Sep 2019 16:44:36 +0200
Subject: [PATCH] Convert forms to POST requests, fix euro filter, fix user
 close debt

---
 app/app.py               |  4 ++--
 app/templates/order.html | 28 +++++++++++++++++++++++-----
 app/views/order.py       | 14 +++++++-------
 3 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/app/app.py b/app/app.py
index a861709..8eec72c 100644
--- a/app/app.py
+++ b/app/app.py
@@ -155,8 +155,8 @@ def add_template_filters(app: Flask) -> None:
         return str(datetime.now().year)
 
     @app.template_filter("euro")
-    def euro(value: int) -> None:
-        euro_string(value)
+    def euro(value: int) -> str:
+        return euro_string(value)
 
 
 # For usage when you directly call the script with python
diff --git a/app/templates/order.html b/app/templates/order.html
index 8104e26..4096df4 100644
--- a/app/templates/order.html
+++ b/app/templates/order.html
@@ -11,14 +11,18 @@
         <h3 id="order-title">Order {{ order.id }}
         <div class="pull-right">
             {% if order.can_close(current_user.id) -%}
-                <a class="btn btn-danger" href="{{ url_for('order_bp.close_order', id=order.id) }}">Close</a>
+            <form action="{{ url_for('order_bp.close_order', id=order.id) }}" method="post" style="display:inline">
+                <input type="submit" class="btn btn-danger" value="Close"></input>
+            </form>
             {% endif %}{% if courier_or_admin %}
                 <a class="btn btn-warning" href="{{ url_for('order_bp.order_edit', id=order.id) }}">Edit</a>
         {%- endif %}
         </div></h3>
         courier: {{ order.courrier.username }}
         {% if order.courrier == None and not current_user.is_anonymous() %}
-            <a href="{{ url_for('order_bp.volunteer', id=order.id) }}" class="btn btn-primary btn-sm">Volunteer</a>
+        <form action="{{ url_for('order_bp.volunteer', id=order.id) }}" method="post" style="display:inline">
+            <input type="submit" class="btn btn-primary btn-sm" value="Volunteer"></input>
+        </form>
         {% endif %}
         <br/>
         location: <a href="{{ order.location.website }}">{{ order.location.name }}</a><br/>
@@ -76,8 +80,18 @@
                     <td>{{ item.get_name() }}</td>
                     <td><span title="{{ item.extra if item.extra }}">{{ item.product.name }}{{ "*" if item.extra }}</span></td>
                     <td>{{ item.product.price|euro }}</td>
-                    {% if courier_or_admin %}<td>{% if not item.paid %} <a class="btn btn-xs btn-primary" href="{{ url_for('order_bp.item_paid', order_id=order.id, item_id=item.id) }}">Pay</a> {% else %} <span class="glyphicon glyphicon-chevron-down"></span> {% endif %}</td>{% endif %}
-                    <td>{% if item.can_delete(order.id, current_user.id, session.get('anon_name', '')) -%}<a href="{{ url_for('order_bp.delete_item', order_id=order.id, item_id=item.id) }}"><span class="glyphicon glyphicon-remove"></span></a>{%- endif %}<br/></td>
+                    {% if courier_or_admin %}<td>{% if not item.paid %}
+                      <form action="{{ url_for('order_bp.item_paid', order_id=order.id, item_id=item.id) }}" method="post" style="display:inline">
+                          <input type="submit" class="btn btn-xs btn-primary" value="Pay"></input>
+                      </form>
+                    {% else %} <span class="glyphicon glyphicon-chevron-down"></span>
+                    {% endif %}</td>
+                    {% endif %}
+                    <td>{% if item.can_delete(order.id, current_user.id, session.get('anon_name', '')) -%}
+                      <form action="{{ url_for('order_bp.delete_item', order_id=order.id, item_id=item.id) }}" method="post" style="display:inline">
+                          <button class="btn btn-link" type="submit"><span class="glyphicon glyphicon-remove"></span></button>
+                      </form>
+                    {%- endif %}<br/></td>
                 </tr>
             {%- endfor %}
             </tbody>
@@ -113,7 +127,11 @@
                         <td>{{ key }}</td>
                         <td>{{ value["total"]|euro }}</td>
                         <td>{{ value["to_pay"]|euro }}</td>
-                        {% if courier_or_admin %}<td>{% if not value["to_pay"] == 0 %} <a class="btn btn-xs btn-primary" href="{{ url_for('order_bp.items_user_paid', order_id=order.id, user_name=key) }}">Pay</a> {% else %} <span class="glyphicon glyphicon-chevron-down"></span> {% endif %}</td>{% endif %}
+                        {% if courier_or_admin %}<td>{% if not value["to_pay"] == 0 %}
+                          <form action="{{ url_for('order_bp.items_user_paid', order_id=order.id, user_name=key) }}" method="post" style="display:inline">
+                              <input type="submit" class="btn btn-xs btn-primary" value="Pay"></input>
+                          </form>
+                          {% else %} <span class="glyphicon glyphicon-chevron-down"></span> {% endif %}</td>{% endif %}
                     </tr>
                 {%- endfor %}
                 </tbody>
diff --git a/app/views/order.py b/app/views/order.py
index 1d011b2..b9d4b16 100644
--- a/app/views/order.py
+++ b/app/views/order.py
@@ -119,7 +119,7 @@ def order_item_create(id: int) -> typing.Any:
     return order(id, form=form)
 
 
-@order_bp.route("/<order_id>/<item_id>/paid")
+@order_bp.route("/<order_id>/<item_id>/paid", methods=["POST"])
 @login_required
 def item_paid(order_id: int, item_id: int) -> typing.Optional[Response]:
     item = OrderItem.query.filter(OrderItem.id == item_id).first()
@@ -132,7 +132,7 @@ def item_paid(order_id: int, item_id: int) -> typing.Optional[Response]:
     abort(404)
 
 
-@order_bp.route("/<order_id>/<user_name>/user_paid")
+@order_bp.route("/<order_id>/<user_name>/user_paid", methods=["POST"])
 @login_required
 def items_user_paid(order_id: int, user_name: str) -> typing.Optional[Response]:
     user = User.query.filter(User.username == user_name).first()
@@ -140,11 +140,11 @@ def items_user_paid(order_id: int, user_name: str) -> typing.Optional[Response]:
     if user:
         items = OrderItem.query.filter(
             (OrderItem.user_id == user.id) & (OrderItem.order_id == order_id)
-        )
+        ).all()
     else:
         items = OrderItem.query.filter(
             (OrderItem.name == user_name) & (OrderItem.order_id == order_id)
-        )
+        ).all()
     current_order = Order.query.filter(Order.id == order_id).first()
     for item in items:
         print(item)
@@ -157,7 +157,7 @@ def items_user_paid(order_id: int, user_name: str) -> typing.Optional[Response]:
     abort(404)
 
 
-@order_bp.route("/<order_id>/<item_id>/delete")
+@order_bp.route("/<order_id>/<item_id>/delete", methods=["POST"])
 def delete_item(order_id: int, item_id: int) -> typing.Any:
     # type is 'typing.Optional[Response]', but this errors due to
     #   https://github.com/python/mypy/issues/7187
@@ -175,7 +175,7 @@ def delete_item(order_id: int, item_id: int) -> typing.Any:
     abort(404)
 
 
-@order_bp.route("/<id>/volunteer")
+@order_bp.route("/<id>/volunteer", methods=["POST"])
 @login_required
 def volunteer(id: int) -> Response:
     order = Order.query.filter(Order.id == id).first()
@@ -190,7 +190,7 @@ def volunteer(id: int) -> Response:
     return redirect(url_for("order_bp.order", id=id))
 
 
-@order_bp.route("/<id>/close")
+@order_bp.route("/<id>/close", methods=["POST"])
 @login_required
 def close_order(id: int) -> typing.Optional[Response]:
     order = Order.query.filter(Order.id == id).first()