Read-only users cannot change project settings.

hc/accounts/tests/test_project.py

@@ -212,3 +212,23 @@ class ProjectTestCase(BaseTestCase):
         r = self.client.get("/projects/%s/settings/" % p2.code)
         self.assertContains(r, "Add Users from Other Teams")
         self.assertContains(r, "[email protected]")
+
+    def test_it_checks_rw_access_when_updating_project_name(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="[email protected]", password="password")
+
+        form = {"set_project_name": "1", "name": "Alpha Team"}
+        r = self.client.post(self.url, form)
+        self.assertEqual(r.status_code, 403)
+
+    def test_it_hides_actions_for_readonly_users(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="[email protected]", password="password")
+
+        r = self.client.get(self.url)
+        self.assertNotContains(r, "#set-project-name-modal", status_code=200)
+        self.assertNotContains(r, "Show API Keys")

hc/accounts/views.py

@@ -246,25 +246,27 @@ def add_project(request):
 
 @login_required
 def project(request, code):
-    if request.user.is_superuser:
-        q = Project.objects
-    else:
-        q = request.profile.projects()
+    project = get_object_or_404(Project, code=code)
+    is_owner = project.owner_id == request.user.id
 
-    try:
-        project = q.get(code=code)
-    except Project.DoesNotExist:
-        return HttpResponseNotFound()
+    if request.user.is_superuser or is_owner:
+        rw = True
+    else:
+        membership = get_object_or_404(Member, project=project, user=request.user)
+        rw = membership.rw
 
-    is_owner = project.owner_id == request.user.id
     ctx = {
         "page": "project",
+        "rw": rw,
         "project": project,
         "is_owner": is_owner,
         "show_api_keys": "show_api_keys" in request.GET,
     }
 
     if request.method == "POST":
+        if not rw:
+            return HttpResponseForbidden()
+
         if "create_api_keys" in request.POST:
             project.set_api_keys()
             project.save()

templates/accounts/project.html

@@ -59,11 +59,13 @@
             <div class="panel-body settings-block">
                 <h2>Project Name</h2>
                 {{ project }}
+                {% if rw %}
                 <a
                     href="#"
                     class="btn btn-default pull-right"
                     data-toggle="modal"
                     data-target="#set-project-name-modal">Change Project Name</a>
+                {% endif %}
             </div>
 
            {% if project_name_updated %}
@@ -110,10 +112,12 @@
                         API access is enabled.
                             {% csrf_token %}
 
+                            {% if rw %}
                             <button
                                 type="submit"
                                 name="show_api_keys"
                                 class="btn btn-default pull-right">Show API Keys</button>
+                            {% endif %}
                         </form>
                     {% endif %}
                 {% else %}