[FIX] website_quote: prevent modifying the quote state if it's already been processed

Before this fix, it was possible to validate then cancel a quote (or the other way around) simply by using two tabs in your browser. From now on, we only validate/cancel a quote if it's the 'sent' state and advise the customer of the situation if he tries to abuse the process.

[FIX] website_quote: prevent modifying the quote state if it's already been processed
486cd330 · Damien Bouvy · 81418ec1 · 486cd330 · 486cd330 · 486cd330
Commit 486cd330 authored 9 years ago by Damien Bouvy
--- a/addons/website_quote/controllers/main.py
+++ b/addons/website_quote/controllers/main.py
@@ -64,6 +64,8 @@ class sale_quote(http.Controller):
        order = order_obj.browse(request.cr, SUPERUSER_ID, order_id)
        if token != order.access_token:
            return request.website.render('website.404')
+        if order.state != 'sent':
+            return False
        attachments=sign and [('signature.png', sign.decode('base64'))] or []
        order_obj.signal_workflow(request.cr, SUPERUSER_ID, [order_id], 'order_confirm', context=request.context)
        message = _('Order signed by %s') % (signer,)
@@ -76,6 +78,8 @@ class sale_quote(http.Controller):
        order = order_obj.browse(request.cr, SUPERUSER_ID, order_id)
        if token != order.access_token:
            return request.website.render('website.404')
+        if order.state != 'sent':
+            return werkzeug.utils.redirect("/quote/%s/%s?message=4" % (order_id, token))
        request.registry.get('sale.order').action_cancel(request.cr, SUPERUSER_ID, [order_id])
        message = post.get('decline_message')
        if message:

--- a/addons/website_quote/static/src/js/website_quotation.js
+++ b/addons/website_quote/static/src/js/website_quotation.js
@@ -63,8 +63,9 @@ website.if_dom_contains('div.o_website_quote', function () {
            'signer': signer_name,
            'sign': sign?JSON.stringify(sign[1]):false,
        }).then(function (data) {
+            var message_id = (data) ? 3 : 4;
            $('#modelaccept').modal('hide');
-            window.location.href = '/quote/'+order_id[1]+'/'+token+'?message=3';
+            window.location.href = '/quote/'+order_id[1]+'/'+token+'?message='+message_id;
        });
        return false;
    });

--- a/addons/website_quote/views/website_quotation.xml
+++ b/addons/website_quote/views/website_quotation.xml
@@ -252,6 +252,14 @@
                          and do not hesitate to <a href="#discussion">contact us</a> for
                          any question.
                      </div>
+                      <div class="alert alert-warning alert-dismissable" t-if="message==4 and quotation.state != 'sent'">
+                          <button type="button" class="close" data-dismiss="alert" aria-hidden="true">&amp;times;</button>
+                          This order has already been 
+                            <t t-if="quotation.state=='cancel'">cancelled</t>
+                            <t t-if="quotation.state not in ('cancel','draft')">validated</t>
+                          ! You can <a href="#discussion">contact us</a> for
+                          any question.
+                      </div>
                      <a id="introduction"/>
                      <h1 class="page-header mt16">
                          <span t-if="quotation.state in ('draft','sent','cancel')">Your Quotation</span>