Skip to content

Fix unsafe sales payment and deletion paths#71

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-646c
Draft

Fix unsafe sales payment and deletion paths#71
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-646c

Conversation

@cursor

@cursor cursor Bot commented Jun 21, 2026

Copy link
Copy Markdown

Bug and impact

  • The checkout UI exposed an unsupported credit payment method, and the backend persisted arbitrary payment strings without model/form validation. Selecting it completed a sale and decremented inventory without recording any supported payment, balance deduction, or receivable.
  • Viewing a sale detail page rewrote persisted historical sale totals as a GET side effect, which could corrupt completed-sale/payment history.
  • Draft sale item deletion was reachable via GET links, so navigation/prefetch/CSRF could delete line items and restock inventory.

Root cause

  • payment_method was assigned directly in sales views while SaleForm only validates remark.
  • sale_detail contained repair SQL in the read path.
  • sale_delete_item accepted all methods and updated sale/item/inventory without row locks.

Fix

  • Normalize legacy account to balance and reject unsupported payment methods before saving.
  • Remove the unsupported credit button from checkout.
  • Make sale detail read-only.
  • Require POST+CSRF for item deletion and perform deletion/restock/total updates inside a transaction with row locks.
  • Remove the hardcoded fallback sale amount.

Validation

  • mkdir -p logs && .venv/bin/python manage.py test inventory.tests.test_sale_status inventory.tests.test_sales_balance_payment inventory.tests.test_services.MemberServiceTest
  • mkdir -p logs && .venv/bin/python manage.py test inventory.tests.test_i18n

Both passed; only existing staticfiles.W004 warning was reported.

Open in Web View Automation 

Co-authored-by: Xianist Lab <zhtyyx@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant