Add update expenses route

opencollective · Jun 7, 2016 · 698d1af · 698d1af
1 parent 3fea4ab
commit 698d1af
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/server/controllers/expenses.js b/server/controllers/expenses.js
@@ -28,7 +28,8 @@ module.exports = (app) => {
     const group = req.group;
     const attributes = Object.assign({}, req.required.expense, {
       UserId: user.id,
-      GroupId: group.id
+      GroupId: group.id,
+      lastEditedById: user.id
     });
     models.Expense.create(attributes)
       .then(expense => models.Expense.findById(expense.id, { include: [ models.Group, models.User ]}))
@@ -43,14 +44,45 @@ module.exports = (app) => {
 
   const deleteExpense = (req, res, next) => {
     const expense = req.expense;
+    const user = req.user;
 
     assertExpenseStatus(expense, status.PENDING)
+      .then(() => expense.lastEditedById = user.id)
+      .then(() => expense.save())
       .then(() => expense.destroy())
       .tap(expense => createActivity(expense, activities.GROUP_EXPENSE_DELETED))
       .tap(() => res.send({success: true}))
       .catch(next);
   };
 
+  const update = (req, res, next) => {
+    const origExpense = req.expense;
+    const newExpense = req.required.expense;
+    const modifiableProps = [
+      'amount',
+      'attachment',
+      'category',
+      'comment',
+      'createdAt',
+      'currency',
+      'notes',
+      'payoutMethod',
+      'tags',
+      'title',
+      'vat'
+    ];
+
+    assertExpenseStatus(origExpense, status.PENDING)
+      .tap(() => {
+        modifiableProps.forEach(prop => origExpense[prop] = newExpense[prop] || origExpense[prop]);
+        origExpense.updatedAt = new Date();
+        origExpense.lastEditedById = req.user.id;
+      })
+      .then(() => origExpense.save())
+      .tap(expense => res.send(expense.info))
+      .catch(next);
+  };
+
   /**
    * Approve or reject an expense.
    */
@@ -165,6 +197,7 @@ module.exports = (app) => {
   return {
     create,
     deleteExpense,
+    update,
     setApprovalStatus,
     pay
   };

diff --git a/server/routes.js b/server/routes.js
@@ -153,6 +153,7 @@ module.exports = (app) => {
   app.post('/groups/:groupid/transactions', commonLegacySecurityMw, required('transaction'), mw.getOrCreateUser, groups.createTransaction); // Create a transaction for a group.
 
   app.get('/groups/:groupid/transactions/:transactionid', aZ.authorizeAccessToGroup({authIfPublic: true}), aZ.authorizeGroupAccessToTransaction({authIfPublic: true}), groups.getTransaction); // Get a transaction.
+  // TODO remove #postmigration, replaced by PUT /groups/:groupid/expenses/:expenseid
   app.put('/groups/:groupid/transactions/:transactionid', aZ.authorizeAccessToGroup(), aZ.authorizeGroupAccessToTransaction(), required('transaction'), groups.updateTransaction); // Update a transaction.
   // TODO remove #postmigration, replaced by DEL /groups/:groupid/expenses/:expenseid
   app.delete('/groups/:groupid/transactions/:transactionid', aZ.authorizeAccessToGroup({userRoles: [HOST], bypassUserRolesCheckIfAuthenticatedAsAppAndNotUser: true}), aZ.authorizeGroupAccessToTransaction(), groups.deleteTransaction); // Delete a transaction.
@@ -171,6 +172,7 @@ module.exports = (app) => {
   // TODO refactor with single route using authentication.js and authorization.js middleware
   app.post('/groups/:groupid/expenses', commonLegacySecurityMw, mw.authorizeIfGroupPublic, mw.authorizeAuthUserOrApp, mw.authorizeGroup, required('expense'), mw.getOrCreateUser, expenses.create); // Create an expense.
   app.post('/groups/:groupid/expenses', commonLegacySecurityMw, required('expense'), mw.getOrCreateUser, expenses.create); // Create an expense.
+  app.put('/groups/:groupid/expenses/:expenseid', aZ.authorizeAccessToGroup(), aZ.authorizeGroupAccessTo('expense'), required('expense'), expenses.update); // Update an expense.
   // TODO is option bypassUserRolesCheckIfAuthenticatedAsAppAndNotUser present in DEL /groups/:id/transactions/:id really needed?
   app.delete('/groups/:groupid/expenses/:expenseid', aZ.authorizeAccessToGroup({userRoles: [HOST]}), aZ.authorizeGroupAccessTo('expense'), expenses.deleteExpense); // Delete an expense.
   app.post('/groups/:groupid/expenses/:expenseid/approve', aZ.authorizeAccessToGroup(), aZ.authorizeGroupAccessTo('expense'), required('approved'), expenses.setApprovalStatus); // Approve an expense.