fix: ensure envelope can only be set to nil for transfers (#259)

Author: morremeyer

pkg/controllers/transaction.go

@@ -226,6 +226,34 @@ func UpdateTransaction(c *gin.Context) {
 		return
 	}
 
+	// Check the source account
+	sourceAccountID := transaction.SourceAccountID
+	if data.SourceAccountID != uuid.Nil {
+		sourceAccountID = data.SourceAccountID
+	}
+	sourceAccount, err := getAccountResource(c, sourceAccountID)
+	if err != nil {
+		return
+	}
+
+	// Check the destination account
+	destinationAccountID := transaction.DestinationAccountID
+	if data.DestinationAccountID != uuid.Nil {
+		destinationAccountID = data.DestinationAccountID
+	}
+	destinationAccount, err := getAccountResource(c, destinationAccountID)
+	if err != nil {
+		return
+	}
+
+	// Check if the transaction is a transfer. If yes, the envelope can be empty.
+	//
+	// Check that the Envelope ID is set for incoming and outgoing transactions
+	if sourceAccount.External || destinationAccount.External && data.EnvelopeID == nil {
+		httputil.NewError(c, http.StatusBadRequest, errors.New("For incoming and outgoing transactions, an envelope is required"))
+		return
+	}
+
 	err = database.DB.Model(&transaction).Select("", updateFields...).Updates(data).Error
 	if err != nil {
 		httputil.ErrorHandler(c, err)

pkg/controllers/transaction_test.go

@@ -281,6 +281,36 @@ func (suite *TestSuiteEnv) TestUpdateTransactionNegativeAmount() {
 	test.AssertHTTPStatus(suite.T(), http.StatusBadRequest, &recorder)
 }
 
+func (suite *TestSuiteEnv) TestUpdateTransactionEmptySourceDestinationAccount() {
+	transaction := createTestTransaction(suite.T(), models.TransactionCreate{Amount: decimal.NewFromFloat(382.18)})
+
+	recorder := test.Request(suite.T(), http.MethodPatch, transaction.Data.Links.Self, models.TransactionCreate{SourceAccountID: uuid.New()})
+	test.AssertHTTPStatus(suite.T(), http.StatusNotFound, &recorder)
+
+	recorder = test.Request(suite.T(), http.MethodPatch, transaction.Data.Links.Self, models.TransactionCreate{DestinationAccountID: uuid.New()})
+	test.AssertHTTPStatus(suite.T(), http.StatusNotFound, &recorder)
+}
+
+func (suite *TestSuiteEnv) TestUpdateNoEnvelopeTransactionOutgoing() {
+	envelope := createTestEnvelope(suite.T(), models.EnvelopeCreate{})
+
+	c := models.TransactionCreate{
+		BudgetID:             createTestBudget(suite.T(), models.BudgetCreate{Name: "Testing budget for updating of outgoing transfer"}).Data.ID,
+		SourceAccountID:      createTestAccount(suite.T(), models.AccountCreate{Name: "Internal Source Account", External: false}).Data.ID,
+		DestinationAccountID: createTestAccount(suite.T(), models.AccountCreate{Name: "External destination account", External: true}).Data.ID,
+		EnvelopeID:           &envelope.Data.ID,
+		Amount:               decimal.NewFromFloat(984.13),
+	}
+
+	transaction := createTestTransaction(suite.T(), c)
+
+	recorder := test.Request(suite.T(), http.MethodPatch, transaction.Data.Links.Self, `{ "envelopeId": null }`)
+	test.AssertHTTPStatus(suite.T(), http.StatusBadRequest, &recorder)
+
+	err := test.DecodeError(suite.T(), recorder.Body.Bytes())
+	assert.Equal(suite.T(), "For incoming and outgoing transactions, an envelope is required", err, "request id %s", recorder.Header().Get("x-request-id"))
+}
+
 func (suite *TestSuiteEnv) TestUpdateNonExistingTransaction() {
 	recorder := test.Request(suite.T(), http.MethodPatch, "http://example.com/v1/transactions/6ae3312c-23cf-4225-9a81-4f218ba41b00", `{ "note": "2" }`)
 	test.AssertHTTPStatus(suite.T(), http.StatusNotFound, &recorder)

pkg/httputil/query_test.go

@@ -41,6 +41,26 @@ func TestGetBodyFields(t *testing.T) {
 	assert.Equal(t, http.StatusOK, w.Code, "Status is wrong, return body %#v", w.Body.String())
 }
 
+func TestGetBodyFieldsNull(t *testing.T) {
+	w := httptest.NewRecorder()
+	c, r := gin.CreateTestContext(w)
+
+	r.PATCH("/", func(ctx *gin.Context) {
+		fields, err := httputil.GetBodyFields(c, models.AccountCreate{})
+		if err != nil {
+			c.JSON(http.StatusBadRequest, err)
+		}
+		c.JSON(http.StatusOK, fields)
+	})
+
+	json := []byte(`{ "name": null }`)
+
+	c.Request, _ = http.NewRequest(http.MethodPatch, "https://example.com/", bytes.NewBuffer(json))
+	r.ServeHTTP(w, c.Request)
+	assert.Equal(t, http.StatusOK, w.Code, "Status is wrong, return body %#v", w.Body.String())
+	assert.Equal(t, `["Name"]`, w.Body.String(), `Fields are not parsed correctly, should be ["Name"]`)
+}
+
 func TestGetBodyFieldsUnparseable(t *testing.T) {
 	w := httptest.NewRecorder()
 	c, r := gin.CreateTestContext(w)