Skip to content

Fix destructive sales and log audit regressions#78

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-9742
Draft

Fix destructive sales and log audit regressions#78
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-9742

Conversation

@cursor

@cursor cursor Bot commented Jun 28, 2026

Copy link
Copy Markdown

Bug and impact

  • The POS UI submitted an unsupported credit payment method that the backend accepted as a completed sale, decrementing inventory and recording revenue without any receivable or balance deduction.
  • Sale detail GET requests rewrote persisted historical sale totals, which could desynchronize completed sales from member balance transactions and reports.
  • Sale item deletion was a GET side effect without transactional row locks, allowing accidental/CSRF deletion and stock restoration.
  • Log download/delete admin actions used content_type_id=0, causing audit log foreign-key failures; delete could remove the file but report failure with no audit entry.

Root cause

  • Payment methods from POST were not validated against Sale.PAYMENT_METHODS.
  • Read-only detail rendering included corrective writeback SQL.
  • Destructive sale item deletion did not require POST/CSRF and updated related rows outside a transaction.
  • Custom admin LogEntry records used an invalid content type id instead of nullable content type.

Fix

  • Normalize and validate sale payment methods, preserve legacy account -> balance, remove the unimplemented credit checkout button, and deduct mixed-payment balance portions.
  • Make sale detail rendering read-only.
  • Require POST for sale item deletion and perform deletion/restock/total recalculation under row locks.
  • Use nullable LogEntry.content_type for log file download/delete audit records.
  • Added regression tests for these scenarios.

Validation

  • mkdir -p logs && .venv/bin/python manage.py test inventory.tests.test_sales_balance_payment inventory.tests.test_sale_status inventory.tests.test_views.LogFileViewTest
  • mkdir -p logs && .venv/bin/python manage.py test inventory.tests.test_views.BackupViewSecurityTest inventory.tests.test_services.MemberServiceTest
  • .venv/bin/python manage.py check

Only the existing staticfiles.W004 warning about missing /workspace/static was reported.

Open in Web View Automation 

Co-authored-by: Xianist Lab <zhtyyx@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant