From adb004b3333b1a9c338180492aef5e1a36f6f729 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Wed, 26 Aug 2020 15:04:12 +0300
Subject: [PATCH] Read-only users cannot change project settings.

---
 hc/accounts/tests/test_project.py | 20 ++++++++++++++++++++
 hc/accounts/views.py              | 20 +++++++++++---------
 templates/accounts/project.html   |  4 ++++
 3 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/hc/accounts/tests/test_project.py b/hc/accounts/tests/test_project.py
index e7c5aac7..e8a1cc8b 100644
--- a/hc/accounts/tests/test_project.py
+++ b/hc/accounts/tests/test_project.py
@@ -212,3 +212,23 @@ class ProjectTestCase(BaseTestCase):
         r = self.client.get("/projects/%s/settings/" % p2.code)
         self.assertContains(r, "Add Users from Other Teams")
         self.assertContains(r, "bob@example.org")
+
+    def test_it_checks_rw_access_when_updating_project_name(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+
+        form = {"set_project_name": "1", "name": "Alpha Team"}
+        r = self.client.post(self.url, form)
+        self.assertEqual(r.status_code, 403)
+
+    def test_it_hides_actions_for_readonly_users(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+
+        r = self.client.get(self.url)
+        self.assertNotContains(r, "#set-project-name-modal", status_code=200)
+        self.assertNotContains(r, "Show API Keys")
diff --git a/hc/accounts/views.py b/hc/accounts/views.py
index e88d8954..0e97fce9 100644
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@@ -246,25 +246,27 @@ def add_project(request):
 
 @login_required
 def project(request, code):
-    if request.user.is_superuser:
-        q = Project.objects
-    else:
-        q = request.profile.projects()
+    project = get_object_or_404(Project, code=code)
+    is_owner = project.owner_id == request.user.id
 
-    try:
-        project = q.get(code=code)
-    except Project.DoesNotExist:
-        return HttpResponseNotFound()
+    if request.user.is_superuser or is_owner:
+        rw = True
+    else:
+        membership = get_object_or_404(Member, project=project, user=request.user)
+        rw = membership.rw
 
-    is_owner = project.owner_id == request.user.id
     ctx = {
         "page": "project",
+        "rw": rw,
         "project": project,
         "is_owner": is_owner,
         "show_api_keys": "show_api_keys" in request.GET,
     }
 
     if request.method == "POST":
+        if not rw:
+            return HttpResponseForbidden()
+
         if "create_api_keys" in request.POST:
             project.set_api_keys()
             project.save()
diff --git a/templates/accounts/project.html b/templates/accounts/project.html
index d9ff5235..fb07559f 100644
--- a/templates/accounts/project.html
+++ b/templates/accounts/project.html
@@ -59,11 +59,13 @@
             <div class="panel-body settings-block">
                 <h2>Project Name</h2>
                 {{ project }}
+                {% if rw %}
                 <a
                     href="#"
                     class="btn btn-default pull-right"
                     data-toggle="modal"
                     data-target="#set-project-name-modal">Change Project Name</a>
+                {% endif %}
             </div>
 
            {% if project_name_updated %}
@@ -110,10 +112,12 @@
                         API access is enabled.
                             {% csrf_token %}
 
+                            {% if rw %}
                             <button
                                 type="submit"
                                 name="show_api_keys"
                                 class="btn btn-default pull-right">Show API Keys</button>
+                            {% endif %}
                         </form>
                     {% endif %}
                 {% else %}