From 11d8e6197cc47df190c69c5032012dd9925ad045 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Wed, 26 Aug 2020 12:29:03 +0300
Subject: [PATCH] Read-only users cannot add checks. Read-only users cannot
 pause checks.

---
 hc/front/tests/test_add_check.py       |  8 ++++++++
 hc/front/tests/test_details.py         |  1 +
 hc/front/tests/test_my_checks.py       | 14 ++++++++++++++
 hc/front/tests/test_pause.py           |  8 ++++++++
 hc/front/views.py                      |  5 +++++
 templates/front/details.html           |  2 ++
 templates/front/my_checks.html         |  3 +++
 templates/front/my_checks_desktop.html |  2 ++
 8 files changed, 43 insertions(+)

diff --git a/hc/front/tests/test_add_check.py b/hc/front/tests/test_add_check.py
index 32501425..3cd5a6c7 100644
--- a/hc/front/tests/test_add_check.py
+++ b/hc/front/tests/test_add_check.py
@@ -32,6 +32,14 @@ class AddCheckTestCase(BaseTestCase):
         r = self.client.get(self.url)
         self.assertEqual(r.status_code, 405)
 
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.post(self.url)
+        self.assertEqual(r.status_code, 403)
+
     def test_it_obeys_check_limit(self):
         self.profile.check_limit = 0
         self.profile.save()
diff --git a/hc/front/tests/test_details.py b/hc/front/tests/test_details.py
index f2b0b3ee..1d5417ad 100644
--- a/hc/front/tests/test_details.py
+++ b/hc/front/tests/test_details.py
@@ -55,4 +55,5 @@ class DetailsTestCase(BaseTestCase):
 
         self.assertNotContains(r, "edit-name", status_code=200)
         self.assertNotContains(r, "edit-desc")
+        self.assertNotContains(r, "pause-btn")
         self.assertNotContains(r, "Change Schedule")
diff --git a/hc/front/tests/test_my_checks.py b/hc/front/tests/test_my_checks.py
index c16908f3..cb0e5c16 100644
--- a/hc/front/tests/test_my_checks.py
+++ b/hc/front/tests/test_my_checks.py
@@ -17,6 +17,8 @@ class MyChecksTestCase(BaseTestCase):
             self.client.login(username=email, password="password")
             r = self.client.get(self.url)
             self.assertContains(r, "Alice Was Here", status_code=200)
+            # The pause button:
+            self.assertContains(r, "btn btn-default pause", status_code=200)
 
         # last_active_date should have been set
         self.profile.refresh_from_db()
@@ -125,3 +127,15 @@ class MyChecksTestCase(BaseTestCase):
         self.client.login(username="alice@example.org", password="password")
         r = self.client.get(self.url)
         self.assertContains(r, """<div class="btn btn-xs grace ">foo</div>""")
+
+    def test_it_hides_actions_from_readonly_users(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.get(self.url)
+
+        self.assertNotContains(r, "Add Check", status_code=200)
+
+        # The pause button:
+        self.assertNotContains(r, "btn btn-default pause", status_code=200)
diff --git a/hc/front/tests/test_pause.py b/hc/front/tests/test_pause.py
index ca170d64..22c2f973 100644
--- a/hc/front/tests/test_pause.py
+++ b/hc/front/tests/test_pause.py
@@ -46,3 +46,11 @@ class PauseTestCase(BaseTestCase):
         self.client.login(username="alice@example.org", password="password")
         r = self.client.post(self.url, HTTP_X_REQUESTED_WITH="XMLHttpRequest")
         self.assertEqual(r.status_code, 200)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.post(self.url)
+        self.assertEqual(r.status_code, 403)
diff --git a/hc/front/views.py b/hc/front/views.py
index 931077b0..7125a169 100644
--- a/hc/front/views.py
+++ b/hc/front/views.py
@@ -323,6 +323,9 @@ def docs_cron(request):
 @login_required
 def add_check(request, code):
     project, rw = _get_project_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
+
     if project.num_checks_available() <= 0:
         return HttpResponseBadRequest()
 
@@ -461,6 +464,8 @@ def ping_details(request, code, n=None):
 @login_required
 def pause(request, code):
     check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
 
     check.status = "paused"
     check.last_start = None
diff --git a/templates/front/details.html b/templates/front/details.html
index e222d3d8..b2692a89 100644
--- a/templates/front/details.html
+++ b/templates/front/details.html
@@ -129,6 +129,7 @@
                 </tr>
             </table>
             <div class="text-right">
+                {% if rw %}
                 <form action="{% url 'hc-pause' check.code %}" method="post">
                     {% csrf_token %}
                     <input
@@ -137,6 +138,7 @@
                         {% if check.status == "paused" %}disabled{% endif %}
                         class="btn btn-sm btn-default" value="Pause" />
                 </form>
+                {% endif %}
 
                 <button
                     id="ping-now"
diff --git a/templates/front/my_checks.html b/templates/front/my_checks.html
index 2c2f9053..77d729d6 100644
--- a/templates/front/my_checks.html
+++ b/templates/front/my_checks.html
@@ -32,6 +32,8 @@
     {% endif %}
     </div>
 </div>
+
+{% if rw %}
 <div id="my-checks-bottom-actions" class="row">
     <div class="col-sm-12">
         {% if num_available > 0 %}
@@ -57,6 +59,7 @@
         {% endif %}
     </div>
 </div>
+{% endif %}
 
 {% include "front/update_name_modal.html" %}
 {% include "front/update_timeout_modal.html" %}
diff --git a/templates/front/my_checks_desktop.html b/templates/front/my_checks_desktop.html
index 13c3734d..5da9824f 100644
--- a/templates/front/my_checks_desktop.html
+++ b/templates/front/my_checks_desktop.html
@@ -126,9 +126,11 @@
             </div>
         </td>
         <td class="actions">
+            {% if rw %}
             <button class="btn btn-default pause" type="button">
                 <span class="icon-paused" />
             </button>
+            {% endif %}
 
             <button title="Show Details" class="btn btn-default show-log" type="button">
                 <span class="icon-dots" />