Skip to content

Fix critical sales and log regressions#70

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-d922
Draft

Fix critical sales and log regressions#70
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-d922

Conversation

@cursor

@cursor cursor Bot commented Jun 20, 2026

Copy link
Copy Markdown

Bug and impact

  • Viewing a sale detail page could rewrite persisted historical sale totals, causing completed sales, member spend, and transaction records to diverge.
  • Draft sale item deletion was reachable via GET and was not protected by row locks, allowing accidental/CSRF-triggered inventory restoration and item deletion.
  • Unsupported payment methods such as credit could complete sales without backend settlement handling.
  • Log file download/delete attempted to create admin log entries with content_type_id=0, causing those admin operations to fail.

Root cause

  • Read-only sale detail rendering contained auto-repair SQL writes.
  • Delete links used GET and the view performed inventory/item mutations outside an atomic locked section.
  • Payment method values from POST were assigned without validating against backend-supported choices.
  • Custom admin log entries used an invalid content type foreign key.

Fix

  • Made sale detail rendering read-only.
  • Restricted sale item deletion to POST with CSRF form markup and transaction/row locks.
  • Added payment method normalization/validation while preserving legacy account -> balance alias.
  • Replaced invalid log content_type_id=0 with nullable content type entries.
  • Removed the fixed 855.33 sale amount fallback in favor of rejecting invalid totals.

Validation

  • mkdir -p logs && .venv/bin/python manage.py test inventory.tests.test_sale_status inventory.tests.test_sales_balance_payment inventory.tests.test_views.BackupViewSecurityTest inventory.tests.test_views.LogFileViewTest inventory.tests.test_services.MemberServiceTest
  • Result: 19 tests OK; only existing staticfiles.W004 warning for missing /workspace/static.
Open in Web View Automation 

Co-authored-by: Xianist Lab <zhtyyx@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant