nielsperetzke
/
healthchecks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 32 Wiki Activity
Browse Source

Read-only users cannot change project settings.

pull/419/head
Pēteris Caune 4 years ago
parent
39198c827a
commit
adb004b333
No known key found for this signature in database GPG Key ID: E28D7679E9A9EDE2
3 changed files with 35 additions and 9 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +20
    -0
      hc/accounts/tests/test_project.py
  2. +11
    -9
      hc/accounts/views.py
  3. +4
    -0
      templates/accounts/project.html

+ 20
- 0
hc/accounts/tests/test_project.py View File

@ -212,3 +212,23 @@ class ProjectTestCase(BaseTestCase):
r = self.client.get("/projects/%s/settings/" % p2.code) r = self.client.get("/projects/%s/settings/" % p2.code)
self.assertContains(r, "Add Users from Other Teams") self.assertContains(r, "Add Users from Other Teams")
self.assertContains(r, "[email protected]") self.assertContains(r, "[email protected]")
def test_it_checks_rw_access_when_updating_project_name(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="[email protected]", password="password")
form = {"set_project_name": "1", "name": "Alpha Team"}
r = self.client.post(self.url, form)
self.assertEqual(r.status_code, 403)
def test_it_hides_actions_for_readonly_users(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="[email protected]", password="password")
r = self.client.get(self.url)
self.assertNotContains(r, "#set-project-name-modal", status_code=200)
self.assertNotContains(r, "Show API Keys")

+ 11
- 9
hc/accounts/views.py View File

@ -246,25 +246,27 @@ def add_project(request):
@login_required @login_required
def project(request, code): def project(request, code):
if request.user.is_superuser:
q = Project.objects
else:
q = request.profile.projects()
project = get_object_or_404(Project, code=code)
is_owner = project.owner_id == request.user.id
try:
project = q.get(code=code)
except Project.DoesNotExist:
return HttpResponseNotFound()
if request.user.is_superuser or is_owner:
rw = True
else:
membership = get_object_or_404(Member, project=project, user=request.user)
rw = membership.rw
is_owner = project.owner_id == request.user.id
ctx = { ctx = {
"page": "project", "page": "project",
"rw": rw,
"project": project, "project": project,
"is_owner": is_owner, "is_owner": is_owner,
"show_api_keys": "show_api_keys" in request.GET, "show_api_keys": "show_api_keys" in request.GET,
} }
if request.method == "POST": if request.method == "POST":
if not rw:
return HttpResponseForbidden()
if "create_api_keys" in request.POST: if "create_api_keys" in request.POST:
project.set_api_keys() project.set_api_keys()
project.save() project.save()


+ 4
- 0
templates/accounts/project.html View File

@ -59,11 +59,13 @@
<div class="panel-body settings-block"> <div class="panel-body settings-block">
<h2>Project Name</h2> <h2>Project Name</h2>
{{ project }} {{ project }}
{% if rw %}
<a <a
href="#" href="#"
class="btn btn-default pull-right" class="btn btn-default pull-right"
data-toggle="modal" data-toggle="modal"
data-target="#set-project-name-modal">Change Project Name</a> data-target="#set-project-name-modal">Change Project Name</a>
{% endif %}
</div> </div>
{% if project_name_updated %} {% if project_name_updated %}
@ -110,10 +112,12 @@
API access is enabled. API access is enabled.
{% csrf_token %} {% csrf_token %}
{% if rw %}
<button <button
type="submit" type="submit"
name="show_api_keys" name="show_api_keys"
class="btn btn-default pull-right">Show API Keys</button> class="btn btn-default pull-right">Show API Keys</button>
{% endif %}
</form> </form>
{% endif %} {% endif %}
{% else %} {% else %}


Write Preview
Loading…
Cancel
Save