From 26e3e316640b557947734f28141654c32d33a077 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Sat, 3 Mar 2018 11:09:53 +0100 Subject: [PATCH] manager: let user with view permission access the events agenda page (#22245) --- chrono/manager/views.py | 13 +++++++++++++ tests/test_manager.py | 28 ++++++++++++++++++++++++---- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/chrono/manager/views.py b/chrono/manager/views.py index 81e418f..8ac42a0 100644 --- a/chrono/manager/views.py +++ b/chrono/manager/views.py @@ -358,6 +358,19 @@ class AgendaSettings(ManagedAgendaMixin, DetailView): template_name = 'chrono/manager_agenda_settings.html' model = Agenda + def dispatch(self, request, *args, **kwargs): + try: + self.agenda = Agenda.objects.get(id=kwargs.get('pk')) + except Agenda.DoesNotExist: + raise Http404() + if not self.agenda.can_be_managed(request.user): + # "events" agendas settings page can be access by user with the + # view permission as there are no other "view" page for this type + # of agenda. + if self.agenda.kind != 'events' or not self.agenda.can_be_viewed(request.user): + raise PermissionDenied() + return super(DetailView, self).dispatch(request, *args, **kwargs) + def get_context_data(self, **kwargs): context = super(AgendaSettings, self).get_context_data(**kwargs) context['user_can_manage'] = self.get_object().can_be_managed(self.request.user) diff --git a/tests/test_manager.py b/tests/test_manager.py index 7216be7..bdeba76 100644 --- a/tests/test_manager.py +++ b/tests/test_manager.py @@ -119,8 +119,8 @@ def test_view_agendas_as_manager(app, manager_user): agenda.view_role = manager_user.groups.all()[0] agenda.save() - agenda = Agenda(label=u'Bar Foo') - agenda.save() + agenda2 = Agenda(label=u'Bar Foo') + agenda2.save() app = login(app, username='manager', password='manager') resp = app.get('/manage/', status=200) @@ -128,7 +128,21 @@ def test_view_agendas_as_manager(app, manager_user): assert 'Bar Foo' not in resp.body assert 'New' not in resp.body - app.get('/manage/agendas/%s/' % agenda.id, status=403) + # check user doesn't have access + app.get('/manage/agendas/%s/' % agenda2.id, status=403) + + # check view gives access to the settings page for "events" agenda + resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=200) + # but there's no links to actions + assert not '>New Event<' in resp.body + assert not '>Options<' in resp.body + app.get('/manage/agendas/%s/add-event' % agenda.id, status=403) + app.get('/manage/agendas/%s/edit' % agenda.id, status=403) + + # check it doesn't give access for "meetings" agenda + agenda.kind = 'meetings' + agenda.save() + resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=403) def test_add_agenda(app, admin_user): app = login(app) @@ -176,9 +190,16 @@ def test_options_agenda_as_manager(app, manager_user): resp = app.get('/manage/', status=200) resp = resp.click('Foo bar') assert not 'Settings' in resp.body + resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=200) # ok for "events" agendas + resp = app.get('/manage/agendas/%s/edit' % agenda.id, status=403) + agenda.kind = 'meetings' + agenda.save() resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=403) resp = app.get('/manage/agendas/%s/edit' % agenda.id, status=403) + agenda.kind = 'events' + agenda.save() + agenda.edit_role = manager_user.groups.all()[0] agenda.save() @@ -282,7 +303,6 @@ def test_add_event_as_manager(app, manager_user): agenda.save() app = login(app, username='manager', password='manager') resp = app.get('/manage/agendas/%s/' % agenda.id, status=302) - app.get('/manage/agendas/%s/settings' % agenda.id, status=403) app.get('/manage/agendas/%s/add-event' % agenda.id, status=403) agenda.edit_role = manager_user.groups.all()[0] -- 2.16.2