From 3ef8807ee9694bd172f67fb76e647588ee55eb64 Mon Sep 17 00:00:00 2001
From: Mauricio Baeza <git@elmau.net>
Date: Thu, 1 Mar 2018 13:32:47 -0600
Subject: [PATCH] Validar usuario

---
 source/app/controllers/main.py | 21 +++++++++++++++++++++
 source/app/models/main.py      |  4 ++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/source/app/controllers/main.py b/source/app/controllers/main.py
index 6436f47..25fd54f 100644
--- a/source/app/controllers/main.py
+++ b/source/app/controllers/main.py
@@ -88,10 +88,18 @@ class AppMain(object):
 
 
 class AppValues(object):
+    TABLES = ('allusuarios', 'usuario', 'usuarioupdate', 'editusuario',
+            'addusuario')
 
     def __init__(self, db):
         self._db = db
 
+    def _valid_user(self, table, user):
+        if table in self.TABLES and not user.es_admin:
+            return False
+
+        return True
+
     def on_get(self, req, resp, table):
         values = req.params
         session = req.env['beaker.session']
@@ -109,6 +117,10 @@ class AppValues(object):
             req.context['result'] = session['userobj'].es_superusuario \
                 or session['userobj'].es_admin
         else:
+            if not self._valid_user(table, session['userobj']):
+                resp.status = falcon.HTTP_403
+                return
+
             req.context['result'] = self._db.get_values(table, values, session)
         resp.status = falcon.HTTP_200
 
@@ -120,6 +132,10 @@ class AppValues(object):
             resp.status = falcon.HTTP_204
             return
 
+        if not self._valid_user(table, session['userobj']):
+            resp.status = falcon.HTTP_403
+            return
+
         if self._db.delete(table, values['id']):
             resp.status = falcon.HTTP_200
         else:
@@ -130,6 +146,11 @@ class AppValues(object):
         if file_object is None:
             session = req.env['beaker.session']
             values = req.params
+
+            if not self._valid_user(table, session['userobj']):
+                resp.status = falcon.HTTP_403
+                return
+
             if table == 'correo':
                 req.context['result'] = self._db.validate_email(values)
             elif table == 'sendmail':
diff --git a/source/app/models/main.py b/source/app/models/main.py
index e31c2d0..76f85ef 100644
--- a/source/app/models/main.py
+++ b/source/app/models/main.py
@@ -3889,8 +3889,8 @@ class Facturas(BaseModel):
             comprobante['Descuento'] = FORMAT.format(invoice.descuento)
 
         if invoice.tipo_comprobante == 'T':
-            comprobante['SubTotal'] = '0.0'
-            comprobante['Total'] = '0.0'
+            comprobante['SubTotal'] = '0.00'
+            comprobante['Total'] = '0.00'
             del comprobante['FormaPago']
 
         if invoice.tipo_relacion: