From c9baa2d8eb321b5bb1299a263b3f4fc9f233e08d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Wed, 26 Aug 2020 12:50:02 +0300
Subject: [PATCH] Read-only users cannot toggle channels on and off.

---
 hc/front/tests/test_switch_channel.py | 8 ++++++++
 hc/front/views.py                     | 2 ++
 static/css/details.css                | 2 +-
 static/js/details.js                  | 2 +-
 templates/front/details.html          | 2 +-
 5 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/hc/front/tests/test_switch_channel.py b/hc/front/tests/test_switch_channel.py
index c6b76cc2..de0f3e75 100644
--- a/hc/front/tests/test_switch_channel.py
+++ b/hc/front/tests/test_switch_channel.py
@@ -51,3 +51,11 @@ class SwitchChannelTestCase(BaseTestCase):
         self.client.login(username="bob@example.org", password="password")
         r = self.client.post(self.url, {"state": "on"})
         self.assertEqual(r.status_code, 200)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.post(self.url, {"state": "on"})
+        self.assertEqual(r.status_code, 403)
diff --git a/hc/front/views.py b/hc/front/views.py
index c0cdd14e..55ae76bf 100644
--- a/hc/front/views.py
+++ b/hc/front/views.py
@@ -230,6 +230,8 @@ def status(request, code):
 @require_POST
 def switch_channel(request, code, channel_code):
     check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
 
     channel = get_object_or_404(Channel, code=channel_code)
     if channel.project_id != check.project_id:
diff --git a/static/css/details.css b/static/css/details.css
index ec54dc24..af91d599 100644
--- a/static/css/details.css
+++ b/static/css/details.css
@@ -73,7 +73,7 @@
     background: #22bc66;
 }
 
-#details-integrations tr:hover th, #details-integrations tr:hover td {
+#details-integrations.rw tr:hover th, #details-integrations.rw tr:hover td {
     cursor: pointer;
     background-color: #f5f5f5;
 }
diff --git a/static/js/details.js b/static/js/details.js
index 44b9efea..5a01d795 100644
--- a/static/js/details.js
+++ b/static/js/details.js
@@ -59,7 +59,7 @@ $(function () {
         }, 300);
     });
 
-    $("#details-integrations tr").click(function() {
+    $("#details-integrations.rw tr").click(function() {
         var isOn = $(this).toggleClass("on").hasClass("on");
         $(".label", this).text(isOn ? "ON" : "OFF");
 
diff --git a/templates/front/details.html b/templates/front/details.html
index b8e247d0..03216185 100644
--- a/templates/front/details.html
+++ b/templates/front/details.html
@@ -206,7 +206,7 @@
         <div class="details-block">
             <h2>Notification Methods</h2>
             {% if channels %}
-            <table id="details-integrations" class="table">
+            <table id="details-integrations" class="table {% if rw %}rw{% endif %}">
             {% for channel in channels %}
                 <tr data-url="{% url 'hc-switch-channel' check.code channel.code %}" {% if channel in enabled_channels %}class="on"{% endif %}>
                     <th>