From cbd7ffbffbca402869b18124fe06723aee086ac7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Wed, 26 Aug 2020 12:36:05 +0300
Subject: [PATCH] Read-only users cannot edit filtering rules.

---
 hc/front/tests/test_details.py         |  1 +
 hc/front/tests/test_filtering_rules.py | 18 +++++++++++++++++-
 hc/front/views.py                      |  3 +++
 templates/front/details.html           |  2 ++
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/hc/front/tests/test_details.py b/hc/front/tests/test_details.py
index 1d5417ad..ef5592bf 100644
--- a/hc/front/tests/test_details.py
+++ b/hc/front/tests/test_details.py
@@ -55,5 +55,6 @@ class DetailsTestCase(BaseTestCase):
 
         self.assertNotContains(r, "edit-name", status_code=200)
         self.assertNotContains(r, "edit-desc")
+        self.assertNotContains(r, "Filtering Rules")
         self.assertNotContains(r, "pause-btn")
         self.assertNotContains(r, "Change Schedule")
diff --git a/hc/front/tests/test_filtering_rules.py b/hc/front/tests/test_filtering_rules.py
index cdf8d71f..e30c3bd9 100644
--- a/hc/front/tests/test_filtering_rules.py
+++ b/hc/front/tests/test_filtering_rules.py
@@ -20,7 +20,7 @@ class FilteringRulesTestCase(BaseTestCase):
         }
 
         self.client.login(username="alice@example.org", password="password")
-        r = self.client.post(self.url, data=payload,)
+        r = self.client.post(self.url, data=payload)
         self.assertRedirects(r, self.redirect_url)
 
         self.check.refresh_from_db()
@@ -72,3 +72,19 @@ class FilteringRulesTestCase(BaseTestCase):
 
         self.check.refresh_from_db()
         self.assertFalse(self.check.manual_resume)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        payload = {
+            "subject": "SUCCESS",
+            "subject_fail": "ERROR",
+            "methods": "POST",
+            "manual_resume": "1",
+            "filter_by_subject": "yes",
+        }
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.post(self.url, payload)
+        self.assertEqual(r.status_code, 403)
diff --git a/hc/front/views.py b/hc/front/views.py
index 7125a169..130bdfe1 100644
--- a/hc/front/views.py
+++ b/hc/front/views.py
@@ -362,6 +362,9 @@ def update_name(request, code):
 @login_required
 def filtering_rules(request, code):
     check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
+
     form = forms.FilteringRulesForm(request.POST)
     if form.is_valid():
         check.subject = form.cleaned_data["subject"]
diff --git a/templates/front/details.html b/templates/front/details.html
index b2692a89..90afb480 100644
--- a/templates/front/details.html
+++ b/templates/front/details.html
@@ -95,10 +95,12 @@
                 </p>
             </div>
             <div class="text-right">
+                {% if rw %}
                 <button
                     data-toggle="modal"
                     data-target="#filtering-rules-modal"
                     class="btn btn-sm btn-default">Filtering Rules&hellip;</button>
+                {% endif %}
                 <button
                     data-toggle="modal"
                     data-target="#show-usage-modal"