fix: Only prevent fulfilled or pending order users from deletion (#7394)

fossasia · Oct 30, 2020 · 01d5972 · 01d5972
1 parent 6b504f7
commit 01d5972
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/app/api/users.py b/app/api/users.py
@@ -1,8 +1,10 @@
 import base64
+import logging
 
 from flask import Blueprint, abort, jsonify, make_response, request
 from flask_jwt_extended import current_user, verify_fresh_jwt_in_request
 from flask_rest_jsonapi import ResourceDetail, ResourceList, ResourceRelationship
+from sqlalchemy import or_
 from sqlalchemy.orm.exc import NoResultFound
 
 from app.api.bootstrap import api
@@ -31,13 +33,16 @@
 from app.models.feedback import Feedback
 from app.models.mail import PASSWORD_RESET_AND_VERIFY, USER_REGISTER_WITH_PASSWORD
 from app.models.notification import Notification
+from app.models.order import Order
 from app.models.session import Session
 from app.models.speaker import Speaker
 from app.models.ticket_holder import TicketHolder
 from app.models.user import User
 from app.models.users_events_role import UsersEventsRoles
 from app.settings import get_settings
 
+logger = logging.getLogger(__name__)
+
 user_misc_routes = Blueprint('user_misc', __name__, url_prefix='/v1')
 
 
@@ -284,7 +289,26 @@ def before_update_object(self, user, data, view_kwargs):
                             {'source': ''},
                             "Users associated with events cannot be deleted",
                         )
-                    if len(user.orders) != 0:
+                    # TODO(Areeb): Deduplicate the query. Present in video stream model as well
+                    order_exists = db.session.query(
+                        TicketHolder.query.filter_by(user=user)
+                        .join(Order)
+                        .filter(
+                            or_(
+                                Order.status == 'completed',
+                                Order.status == 'placed',
+                                Order.status == 'initializing',
+                                Order.status == 'pending',
+                            )
+                        )
+                        .exists()
+                    ).scalar()
+                    # If any pending or completed order exists, we cannot delete the user
+                    if order_exists:
+                        logger.warning(
+                            'User %s has pending or completed orders, hence cannot be deleted',
+                            user,
+                        )
                         raise ForbiddenError(
                             {'source': ''},
                             "Users associated with orders cannot be deleted",