add scope to filter data

invoices/views.py

@@ -14,11 +14,15 @@ from accounts.models import Role
 from common.consts import UserRoles
 from .models import Item, Quote, QuoteItem, Payment, Invoice, InvoiceItem
 from installations.models import InstallationReport, InstallationItemChange
-
+from processes.utils import get_scoped_instance_or_404
 
 @login_required
 def quote_step(request, instance_id, step_id):
     """مرحله انتخاب اقلام و ساخت پیش‌فاکتور"""
+    # Enforce scoped access to prevent URL tampering
+    instance = get_scoped_instance_or_404(request, instance_id)
+
+    # Enforce scoped access to prevent URL tampering
     instance = get_object_or_404(
         ProcessInstance.objects.select_related('process', 'well', 'requester', 'representative', 'representative__profile'),
         id=instance_id
@@ -68,7 +72,7 @@ def quote_step(request, instance_id, step_id):
 @login_required
 def create_quote(request, instance_id, step_id):
     """ساخت/بروزرسانی پیش‌فاکتور از اقلام انتخابی"""
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
     # enforce permission: only BROKER can create/update quote
     profile = getattr(request.user, 'profile', None)
@@ -219,6 +223,9 @@ def create_quote(request, instance_id, step_id):
 @login_required
 def quote_preview_step(request, instance_id, step_id):
     """مرحله صدور پیش‌فاکتور - نمایش و تایید فاکتور"""
+    # Enforce scoped access to prevent URL tampering
+    instance = get_scoped_instance_or_404(request, instance_id)
+
     instance = get_object_or_404(
         ProcessInstance.objects.select_related('process', 'well', 'requester', 'representative', 'representative__profile', 'broker', 'broker__company', 'broker__affairs', 'broker__affairs__county', 'broker__affairs__county__city'),
         id=instance_id
@@ -261,7 +268,7 @@ def quote_preview_step(request, instance_id, step_id):
 @login_required
 def quote_print(request, instance_id):
     """صفحه پرینت پیش‌فاکتور"""
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     quote = get_object_or_404(Quote, process_instance=instance)
     
     return render(request, 'invoices/quote_print.html', {
@@ -274,7 +281,7 @@ def quote_print(request, instance_id):
 @login_required  
 def approve_quote(request, instance_id, step_id):
     """تایید پیش‌فاکتور و انتقال به مرحله بعدی"""
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
     quote = get_object_or_404(Quote, process_instance=instance)
     # enforce permission: only BROKER can approve
@@ -316,6 +323,9 @@ def approve_quote(request, instance_id, step_id):
 @login_required
 def quote_payment_step(request, instance_id, step_id):
     """مرحله سوم: ثبت فیش‌های واریزی پیش‌فاکتور"""
+    # Enforce scoped access to prevent URL tampering
+    instance = get_scoped_instance_or_404(request, instance_id)
+
     instance = get_object_or_404(
         ProcessInstance.objects.select_related('process', 'well', 'requester', 'representative', 'representative__profile'),
         id=instance_id
@@ -449,7 +459,7 @@ def quote_payment_step(request, instance_id, step_id):
 @login_required
 def add_quote_payment(request, instance_id, step_id):
     """افزودن فیش واریزی جدید برای پیش‌فاکتور"""
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
     quote = get_object_or_404(Quote, process_instance=instance)
     invoice, _ = Invoice.objects.get_or_create(
@@ -564,7 +574,7 @@ def add_quote_payment(request, instance_id, step_id):
 @require_POST
 @login_required
 def delete_quote_payment(request, instance_id, step_id, payment_id):
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
     quote = get_object_or_404(Quote, process_instance=instance)
     invoice = Invoice.objects.filter(quote=quote).first()
@@ -632,6 +642,9 @@ def delete_quote_payment(request, instance_id, step_id, payment_id):
 @login_required
 def final_invoice_step(request, instance_id, step_id):
     """تجمیع اقلام پیش‌فاکتور با تغییرات نصب و صدور فاکتور نهایی"""
+    # Enforce scoped access to prevent URL tampering
+    instance = get_scoped_instance_or_404(request, instance_id)
+
     instance = get_object_or_404(
         ProcessInstance.objects.select_related('process', 'well', 'requester', 'representative', 'representative__profile'),
         id=instance_id
@@ -770,7 +783,7 @@ def final_invoice_step(request, instance_id, step_id):
 
 @login_required
 def final_invoice_print(request, instance_id):
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     invoice = get_object_or_404(Invoice, process_instance=instance)
     items = invoice.items.select_related('item').filter(is_deleted=False).all()
     return render(request, 'invoices/final_invoice_print.html', {
@@ -783,7 +796,7 @@ def final_invoice_print(request, instance_id):
 @require_POST
 @login_required
 def approve_final_invoice(request, instance_id, step_id):
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
     invoice = get_object_or_404(Invoice, process_instance=instance)
     # only MANAGER can approve
@@ -811,7 +824,7 @@ def approve_final_invoice(request, instance_id, step_id):
 @login_required
 def add_special_charge(request, instance_id, step_id):
     """افزودن هزینه ویژه تعمیر/تعویض به فاکتور نهایی به‌صورت آیتم جداگانه"""
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     invoice = get_object_or_404(Invoice, process_instance=instance)
     # only MANAGER can add special charges
     try:
@@ -848,7 +861,7 @@ def add_special_charge(request, instance_id, step_id):
 @require_POST
 @login_required
 def delete_special_charge(request, instance_id, step_id, item_id):
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     invoice = get_object_or_404(Invoice, process_instance=instance)
     # only MANAGER can delete special charges
     try:
@@ -870,7 +883,7 @@ def delete_special_charge(request, instance_id, step_id, item_id):
 
 @login_required
 def final_settlement_step(request, instance_id, step_id):
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
 
     if not instance.can_access_step(step):
@@ -976,7 +989,7 @@ def final_settlement_step(request, instance_id, step_id):
 @require_POST
 @login_required
 def add_final_payment(request, instance_id, step_id):
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
     invoice = get_object_or_404(Invoice, process_instance=instance)
     # Only BROKER can add final settlement payments
@@ -1093,7 +1106,7 @@ def add_final_payment(request, instance_id, step_id):
 @require_POST
 @login_required
 def delete_final_payment(request, instance_id, step_id, payment_id):
-    instance = get_object_or_404(ProcessInstance, id=instance_id)
+    instance = get_scoped_instance_or_404(request, instance_id)
     step = get_object_or_404(instance.process.steps, id=step_id)
     invoice = get_object_or_404(Invoice, process_instance=instance)
     payment = get_object_or_404(Payment, id=payment_id, invoice=invoice)