From 68b3bd905d55e9e95869816842b89a501c0c80ae Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 25 Feb 2022 10:43:59 +0100 Subject: [PATCH] manager: redirect users to their detail page if they can view it (#34829) --- src/authentic2/manager/user_views.py | 2 +- tests/test_user_manager.py | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/authentic2/manager/user_views.py b/src/authentic2/manager/user_views.py index e64b443b..1e762bbd 100644 --- a/src/authentic2/manager/user_views.py +++ b/src/authentic2/manager/user_views.py @@ -899,7 +899,7 @@ user_import_report = UserImportReportView.as_view() def me(request): - if request.user.has_perm('custom_user.change_user', request.user): + if request.user.has_perm('custom_user.view_user', request.user): return redirect(request, 'a2-manager-user-detail', kwargs={'pk': request.user.pk}) else: return redirect(request, 'account_management') diff --git a/tests/test_user_manager.py b/tests/test_user_manager.py index 307284ab..2d5d56b5 100644 --- a/tests/test_user_manager.py +++ b/tests/test_user_manager.py @@ -1276,3 +1276,28 @@ def test_delete_user(app, superuser, simple_user): .count() == 1 ) + + +def test_me_redirect(app, simple_user): + from django.contrib.contenttypes.models import ContentType + + from authentic2.a2_rbac.models import Permission, Role + from django_rbac.models import VIEW_OP + from django_rbac.utils import get_operation + + login(app, simple_user) + + response = app.get('/manage/me/') + assert response.location == '/accounts/' + + role = Role.objects.create() + view_user_perm = Permission.objects.create( + operation=get_operation(VIEW_OP), + target_ct=ContentType.objects.get_for_model(simple_user), + target_id=simple_user.pk, + ) + role.permissions.add(view_user_perm) + role.members.add(simple_user) + + response = app.get('/manage/me/') + assert response.location == f'/manage/users/{simple_user.pk}/' -- 2.34.1