5 files changed, 65 insertions, 6 deletions

diff --git a/indoteknik_api/controllers/api_v1/download.py b/indoteknik_api/controllers/api_v1/download.py
index 3794744e..f12be337 100644
--- a/indoteknik_api/controllers/api_v1/download.py
+++ b/indoteknik_api/controllers/api_v1/download.py
@@ -19,8 +19,8 @@ class Download(controller.Controller):
     def download_invoice(self, id, token):
         id = int(id)
         
-        md5_by_id = request.env['rest.api'].md5_salt(id, 'account.move')
-        if not md5_by_id == token:
+        md5_valid = request.env['rest.api'].md5_salt_valid(id, 'account.move', token)
+        if not md5_valid:
             return self.response('Unauthorized')
 
         pdf, type = request.env['ir.actions.report'].sudo().search([('report_name', '=', 'account.report_invoice')])._render_qweb_pdf([id])
@@ -30,8 +30,8 @@ class Download(controller.Controller):
     def download_tax_invoice(self, id, token):
         id = int(id)
 
-        md5_by_id = request.env['rest.api'].md5_salt(id, 'account.move')
-        if not md5_by_id == token:
+        md5_valid = request.env['rest.api'].md5_salt_valid(id, 'account.move', token)
+        if not md5_valid:
             return self.response('Unauthorized')
 
         attachment = self._get_attachment('account.move', 'efaktur_document', id)
diff --git a/indoteknik_api/controllers/api_v1/sale_order.py b/indoteknik_api/controllers/api_v1/sale_order.py
index 52ccf9fa..9a4b23d9 100644
--- a/indoteknik_api/controllers/api_v1/sale_order.py
+++ b/indoteknik_api/controllers/api_v1/sale_order.py
@@ -105,6 +105,62 @@ class SaleOrder(controller.Controller):
         
         return self.response(data)
 
+    @http.route(PREFIX_PARTNER + 'sale_order/<id>/upload_po', auth='public', method=['POST', 'OPTIONS'], csrf=False)
+    def partner_upload_po_sale_order(self, **kw):
+        user_token = self.authenticate() 
+        if not user_token:
+            return self.unauthorized_response()
+
+        params = self.get_request_params(kw, {
+            'partner_id': ['number'],
+            'id': ['number'],
+            'name': [],
+            'file': []
+        })
+        if not user_token['partner_id'] == params['value']['partner_id']:
+            return self.unauthorized_response()
+        if not params['valid']:
+            return self.response(code=400, description=params)
+        partner_child_ids = self.get_partner_child_ids(params['value']['partner_id'])
+        domain = [
+            ('id', '=', params['value']['id']),
+            ('partner_id', 'in', partner_child_ids)
+        ]
+        data = False
+        sale_order = request.env['sale.order'].search(domain)
+        if sale_order:
+            sale_order.partner_purchase_order_name = params['value']['name']
+            sale_order.partner_purchase_order_file = params['value']['file']
+            data = sale_order.id
+        return self.response(data)
+
+    @http.route(PREFIX_PARTNER + 'sale_order/<id>/cancel', auth='public', method=['POST', 'OPTIONS'], csrf=False)
+    def partner_cancel_sale_order(self, **kw):
+        user_token = self.authenticate() 
+        if not user_token:
+            return self.unauthorized_response()
+
+        params = self.get_request_params(kw, {
+            'partner_id': ['number'],
+            'id': ['number']
+        })
+        if not user_token['partner_id'] == params['value']['partner_id']:
+            return self.unauthorized_response()
+        if not params['valid']:
+            return self.response(code=400, description=params)
+
+        partner_child_ids = self.get_partner_child_ids(params['value']['partner_id'])
+        domain = [
+            ('id', '=', params['value']['id']),
+            ('partner_id', 'in', partner_child_ids)
+        ]
+        data = False
+        sale_order = request.env['sale.order'].search(domain)
+        if sale_order:
+            sale_order.state = 'cancel'
+            data = sale_order.id
+        return self.response(data)
+        
     @http.route(PREFIX_PARTNER + 'sale_order/checkout', auth='public', method=['POST', 'OPTIONS'], csrf=False)
     def create_partner_sale_order(self, **kw):
         user_token = self.authenticate()
diff --git a/indoteknik_api/models/account_move.py b/indoteknik_api/models/account_move.py
index 3c8fd655..5c31f010 100644
--- a/indoteknik_api/models/account_move.py
+++ b/indoteknik_api/models/account_move.py
@@ -1,6 +1,5 @@
 import datetime
 from odoo import models
-import hashlib
 
 
 class AccountMove(models.Model):
diff --git a/indoteknik_api/models/rest_api.py b/indoteknik_api/models/rest_api.py
index 052800b7..0a15aad1 100644
--- a/indoteknik_api/models/rest_api.py
+++ b/indoteknik_api/models/rest_api.py
@@ -14,4 +14,7 @@ class RestApi(models.TransientModel):
         return time
     
     def md5_salt(self, value, salt):
-        return hashlib.md5((salt + '$' + str(value)).encode()).hexdigest()
\ No newline at end of file
+        return hashlib.md5((salt + '$' + str(value)).encode()).hexdigest()
+
+    def md5_salt_valid(self, value, salt, token):
+        return hashlib.md5((salt + '$' + str(value)).encode()).hexdigest() == token
\ No newline at end of file
diff --git a/indoteknik_api/models/sale_order.py b/indoteknik_api/models/sale_order.py
index c7d488be..cc2f9586 100644
--- a/indoteknik_api/models/sale_order.py
+++ b/indoteknik_api/models/sale_order.py
@@ -32,6 +32,7 @@ class SaleOrder(models.Model):
             if context == 'with_detail':
                 res_users = self.env['res.users']
                 data_with_detail = {
+                    'purchase_order_file': True if sale_order.partner_purchase_order_file else False,
                     'payment_term': sale_order.payment_term_id.name or '',
                     'date_order': self.env['rest.api'].datetime_to_str(sale_order.date_order, '%d/%m/%Y %H:%M:%S'),
                     'products': [],