Disallow users to unregister when payment is done (#802)

added 400 status code for deleting paid registration
TIHLDE · May 1, 2024 · e597268 · e597268
1 parent 8a3cfd4
commit e597268
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/app/content/views/registration.py b/app/content/views/registration.py
@@ -24,6 +24,7 @@
 from app.content.util.event_utils import start_payment_countdown
 from app.payment.enums import OrderStatus
 from app.payment.models.order import Order
+from app.payment.util.order_utils import has_paid_order
 
 
 class RegistrationViewSet(APIRegistrationErrorsMixin, BaseViewSet):
@@ -121,11 +122,27 @@ def destroy(self, request, *args, **kwargs):
 
     def _unregister(self, registration):
         self._log_on_destroy(registration)
+
+        if self._registration_is_paid(registration):
+            return Response(
+                {
+                    "detail": "Du kan ikke melde deg av et arrangement du har betalt for."
+                },
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
         registration.delete()
         return Response(
             {"detail": "Du har blitt meldt av arrangementet"}, status=status.HTTP_200_OK
         )
 
+    def _registration_is_paid(self, registration):
+        event = registration.event
+        if event.is_paid_event:
+            orders = event.orders.filter(user=registration.user)
+            return has_paid_order(orders)
+        return False
+
     def _admin_unregister(self, registration):
         self._log_on_destroy(registration)
         registration.admin_unregister()

diff --git a/app/tests/content/test_registration_integration.py b/app/tests/content/test_registration_integration.py
@@ -10,6 +10,7 @@
 from app.forms.enums import EventFormType
 from app.forms.tests.form_factories import EventFormFactory, SubmissionFactory
 from app.group.factories import GroupFactory
+from app.payment.enums import OrderStatus
 from app.util.test_utils import add_user_to_group_with_name, get_api_client
 from app.util.utils import now
 
@@ -1031,3 +1032,40 @@ def test_add_registration_to_event_as_member(member, event):
     response = client.post(url, data)
 
     assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    ("order_status", "status_code"),
+    [
+        (OrderStatus.SALE, status.HTTP_400_BAD_REQUEST),
+        (OrderStatus.CAPTURE, status.HTTP_400_BAD_REQUEST),
+        (OrderStatus.RESERVED, status.HTTP_400_BAD_REQUEST),
+        (OrderStatus.CANCEL, status.HTTP_200_OK),
+        (OrderStatus.INITIATE, status.HTTP_200_OK),
+        (OrderStatus.REFUND, status.HTTP_200_OK),
+        (OrderStatus.VOID, status.HTTP_200_OK),
+    ],
+)
+def test_delete_registration_with_paid_order_as_self(
+    member, event, order, paid_event, order_status, status_code
+):
+    """
+    A member should not be able to delete their registration if they have a paid order.
+    """
+
+    order.status = order_status
+    order.event = event
+    order.user = member
+    order.save()
+
+    paid_event.event = event
+    paid_event.save()
+
+    registration = RegistrationFactory(user=member, event=event)
+    client = get_api_client(user=member)
+
+    url = _get_registration_detail_url(registration)
+    response = client.delete(url)
+
+    assert response.status_code == status_code