Read-only users cannot copy, transfer or remove checks.

hc/front/tests/test_copy.py

@@ -33,3 +33,11 @@ class CopyCheckTestCase(BaseTestCase):
         self.client.login(username="[email protected]", password="password")
         r = self.client.post(self.copy_url)
         self.assertEqual(r.status_code, 400)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="[email protected]", password="password")
+        r = self.client.post(self.copy_url)
+        self.assertEqual(r.status_code, 403)

hc/front/tests/test_details.py

@@ -58,3 +58,6 @@ class DetailsTestCase(BaseTestCase):
         self.assertNotContains(r, "Filtering Rules")
         self.assertNotContains(r, "pause-btn")
         self.assertNotContains(r, "Change Schedule")
+        self.assertNotContains(r, "Create a Copy…")
+        self.assertNotContains(r, "transfer-btn")
+        self.assertNotContains(r, "details-remove-check")

hc/front/tests/test_remove_check.py

@@ -51,3 +51,11 @@ class RemoveCheckTestCase(BaseTestCase):
         self.client.login(username="[email protected]", password="password")
         r = self.client.post(self.remove_url)
         self.assertRedirects(r, self.redirect_url)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="[email protected]", password="password")
+        r = self.client.post(self.remove_url)
+        self.assertEqual(r.status_code, 403)

hc/front/tests/test_transfer.py

@@ -63,3 +63,13 @@ class TransferTestCase(BaseTestCase):
         payload = {"project": self.charlies_project.code}
         r = self.client.post(self.url, payload)
         self.assertEqual(r.status_code, 404)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        payload = {"project": self.project.code}
+
+        self.client.login(username="[email protected]", password="password")
+        r = self.client.post(self.url, payload)
+        self.assertEqual(r.status_code, 403)

hc/front/views.py

@@ -500,6 +500,9 @@ def resume(request, code):
 @login_required
 def remove_check(request, code):
     check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
+
     project = check.project
     check.delete()
     return redirect("hc-checks", project.code)
@@ -579,6 +582,8 @@ def details(request, code):
 @login_required
 def transfer(request, code):
     check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
 
     if request.method == "POST":
         target_project, rw = _get_project_for_user(request, request.POST["project"])
@@ -600,6 +605,8 @@ def transfer(request, code):
 @login_required
 def copy(request, code):
     check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
 
     if check.project.num_checks_available() <= 0:
         return HttpResponseBadRequest()

templates/front/details.html

@@ -232,6 +232,7 @@
             {% endif %}
         </div>
 
+        {% if rw %}
         <div class="details-block">
             <h2>Danger Zone</h2>
             <p>Copy, Transfer, or permanently remove this check.</p>
@@ -239,7 +240,6 @@
             <div class="text-right">
                 {% if project.num_checks_available > 0 %}
                 <button
-                    id="copy-btn"
                     data-toggle="modal"
                     data-target="#copy-modal"
                     class="btn btn-sm btn-default">Create a Copy&hellip;</button>
@@ -260,7 +260,7 @@
                     class="btn btn-sm btn-default">Remove</button>
             </div>
         </div>
-
+        {% endif %}
     </div>
 
     <div id="events" class="col-sm-7" data-status-url="{% url 'hc-status-single' check.code %}">