From 50c7ec0cda2c827ba61561b49f915003683ed039 Mon Sep 17 00:00:00 2001
From: MaysWind <i@mayswind.net>
Date: Sat, 13 Mar 2021 17:23:37 +0800
Subject: [PATCH] verify whether user can delete transaction with specified
 time when deleting transaction

---
 pkg/api/transactions.go   | 28 ++++++++++++++++++++++++++++
 pkg/errs/transaction.go   |  1 +
 pkg/models/transaction.go |  3 ++-
 src/lib/services.js       |  4 +++-
 src/locales/en.js         |  1 +
 src/locales/zh_Hans.js    |  1 +
 6 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/pkg/api/transactions.go b/pkg/api/transactions.go
index c19c89b9..f56518dd 100644
--- a/pkg/api/transactions.go
+++ b/pkg/api/transactions.go
@@ -498,6 +498,34 @@ func (a *TransactionsApi) TransactionDeleteHandler(c *core.Context) (interface{}
 	}
 
 	uid := c.GetCurrentUid()
+	user, err := a.users.GetUserById(uid)
+
+	if err != nil {
+		if !errs.IsCustomError(err) {
+			log.ErrorfWithRequestId(c, "[transactions.TransactionDeleteHandler] failed to get user, because %s", err.Error())
+		}
+
+		return nil, errs.ErrUserNotFound
+	}
+
+	transaction, err := a.transactions.GetTransactionByTransactionId(uid, transactionDeleteReq.Id)
+
+	if err != nil {
+		log.ErrorfWithRequestId(c, "[transactions.TransactionDeleteHandler] failed to get transaction \"id:%d\" for user \"uid:%d\", because %s", transactionDeleteReq.Id, uid, err.Error())
+		return nil, errs.Or(err, errs.ErrOperationFailed)
+	}
+
+	if transaction.Type == models.TRANSACTION_DB_TYPE_TRANSFER_IN {
+		log.WarnfWithRequestId(c, "[transactions.TransactionDeleteHandler] cannot delete transaction \"id:%d\" for user \"uid:%d\", because transaction type is transfer in", transactionDeleteReq.Id, uid)
+		return nil, errs.ErrTransactionTypeInvalid
+	}
+
+	transactionEditable := user.CanEditTransactionByTransactionTime(transaction.TransactionTime, transactionDeleteReq.UtcOffset)
+
+	if !transactionEditable {
+		return nil, errs.ErrCannotDeleteTransactionWithThisTransactionTime
+	}
+
 	err = a.transactions.DeleteTransaction(uid, transactionDeleteReq.Id)
 
 	if err != nil {
diff --git a/pkg/errs/transaction.go b/pkg/errs/transaction.go
index 477a7649..372b1cd5 100644
--- a/pkg/errs/transaction.go
+++ b/pkg/errs/transaction.go
@@ -20,4 +20,5 @@ var (
 	ErrCannotDeleteTransactionInHiddenAccount              = NewNormalError(NormalSubcategoryTransaction, 13, http.StatusBadRequest, "cannot delete transaction in hidden account")
 	ErrCannotCreateTransactionWithThisTransactionTime      = NewNormalError(NormalSubcategoryTransaction, 14, http.StatusBadRequest, "cannot add transaction with this transaction time")
 	ErrCannotModifyTransactionWithThisTransactionTime      = NewNormalError(NormalSubcategoryTransaction, 15, http.StatusBadRequest, "cannot modify transaction with this transaction time")
+	ErrCannotDeleteTransactionWithThisTransactionTime      = NewNormalError(NormalSubcategoryTransaction, 16, http.StatusBadRequest, "cannot delete transaction with this transaction time")
 )
diff --git a/pkg/models/transaction.go b/pkg/models/transaction.go
index 46d5c464..6f257675 100644
--- a/pkg/models/transaction.go
+++ b/pkg/models/transaction.go
@@ -112,7 +112,8 @@ type TransactionGetRequest struct {
 
 // TransactionDeleteRequest represents all parameters of transaction deleting request
 type TransactionDeleteRequest struct {
-	Id int64 `json:"id,string" binding:"required,min=1"`
+	Id        int64 `json:"id,string" binding:"required,min=1"`
+	UtcOffset int   `form:"utc_offset" binding:"required,min=-720,max=840"`
 }
 
 // TransactionInfoResponse represents a view-object of transaction
diff --git a/src/lib/services.js b/src/lib/services.js
index d09f3689..d01652b0 100644
--- a/src/lib/services.js
+++ b/src/lib/services.js
@@ -288,8 +288,10 @@ export default {
         });
     },
     deleteTransaction: ({ id }) => {
+        const utcOffset = utils.getTimezoneOffsetMinutes();
         return axios.post('v1/transactions/delete.json', {
-            id
+            id,
+            utcOffset
         });
     },
     getAllTransactionCategories: () => {
diff --git a/src/locales/en.js b/src/locales/en.js
index 8e11b2a8..7ed4d94c 100644
--- a/src/locales/en.js
+++ b/src/locales/en.js
@@ -548,6 +548,7 @@ export default {
         'cannot delete transaction in hidden account': 'You cannot delete transaction in an hidden account',
         'cannot add transaction with this transaction time': 'You cannot add transaction with this transaction time',
         'cannot modify transaction with this transaction time': 'You cannot modify this transaction with this transaction time',
+        'cannot delete transaction with this transaction time': 'You cannot delete this transaction with this transaction time',
         'transaction category id is invalid': 'Transaction category ID is invalid',
         'transaction category not found': 'Transaction category is not found',
         'transaction category type is invalid': 'Transaction category type is invalid',
diff --git a/src/locales/zh_Hans.js b/src/locales/zh_Hans.js
index 9ba0f5cd..922b078c 100644
--- a/src/locales/zh_Hans.js
+++ b/src/locales/zh_Hans.js
@@ -548,6 +548,7 @@ export default {
         'cannot delete transaction in hidden account': '您不能删除隐藏账户中的交易',
         'cannot add transaction with this transaction time': '您不能添加该交易时间的交易',
         'cannot modify transaction with this transaction time': '您不能修改该交易时间的交易',
+        'cannot delete transaction with this transaction time': '您不能删除该交易时间的交易',
         'transaction category id is invalid': '交易分类ID无效',
         'transaction category not found': '交易分类不存在',
         'transaction category type is invalid': '交易分类类型无效',