harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Read-only users cannot copy, transfer or remove checks.

Browse Source
This commit is contained in:
Pēteris Caune 2020-08-26 12:44:55 +03:00
parent cbd7ffbffb
commit 024d0adb9c
No known key found for this signature in database
GPG Key ID: E28D7679E9A9EDE2
6 changed files with 38 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hc/front/tests/test_copy.py
View File

@ -33,3 +33,11 @@ class CopyCheckTestCase(BaseTestCase):
self.client.login(username="alice@example.org", password="password") self.client.login(username="alice@example.org", password="password")
r = self.client.post(self.copy_url) r = self.client.post(self.copy_url)
self.assertEqual(r.status_code, 400) self.assertEqual(r.status_code, 400)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.copy_url)
self.assertEqual(r.status_code, 403)

3
hc/front/tests/test_details.py
View File

@ -58,3 +58,6 @@ class DetailsTestCase(BaseTestCase):
self.assertNotContains(r, "Filtering Rules") self.assertNotContains(r, "Filtering Rules")
self.assertNotContains(r, "pause-btn") self.assertNotContains(r, "pause-btn")
self.assertNotContains(r, "Change Schedule") self.assertNotContains(r, "Change Schedule")
self.assertNotContains(r, "Create a Copy…")
self.assertNotContains(r, "transfer-btn")
self.assertNotContains(r, "details-remove-check")

8
hc/front/tests/test_remove_check.py
View File

@ -51,3 +51,11 @@ class RemoveCheckTestCase(BaseTestCase):
self.client.login(username="bob@example.org", password="password") self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.remove_url) r = self.client.post(self.remove_url)
self.assertRedirects(r, self.redirect_url) self.assertRedirects(r, self.redirect_url)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.remove_url)
self.assertEqual(r.status_code, 403)

10
hc/front/tests/test_transfer.py
View File

@ -63,3 +63,13 @@ class TransferTestCase(BaseTestCase):
payload = {"project": self.charlies_project.code} payload = {"project": self.charlies_project.code}
r = self.client.post(self.url, payload) r = self.client.post(self.url, payload)
self.assertEqual(r.status_code, 404) self.assertEqual(r.status_code, 404)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
payload = {"project": self.project.code}
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.url, payload)
self.assertEqual(r.status_code, 403)

7
hc/front/views.py
View File

@ -500,6 +500,9 @@ def resume(request, code):
@login_required @login_required
def remove_check(request, code): def remove_check(request, code):
check, rw = _get_check_for_user(request, code) check, rw = _get_check_for_user(request, code)
if not rw:
return HttpResponseForbidden()
project = check.project project = check.project
check.delete() check.delete()
return redirect("hc-checks", project.code) return redirect("hc-checks", project.code)
@ -579,6 +582,8 @@ def details(request, code):
@login_required @login_required
def transfer(request, code): def transfer(request, code):
check, rw = _get_check_for_user(request, code) check, rw = _get_check_for_user(request, code)
if not rw:
return HttpResponseForbidden()
if request.method == "POST": if request.method == "POST":
target_project, rw = _get_project_for_user(request, request.POST["project"]) target_project, rw = _get_project_for_user(request, request.POST["project"])
@ -600,6 +605,8 @@ def transfer(request, code):
@login_required @login_required
def copy(request, code): def copy(request, code):
check, rw = _get_check_for_user(request, code) check, rw = _get_check_for_user(request, code)
if not rw:
return HttpResponseForbidden()
if check.project.num_checks_available() <= 0: if check.project.num_checks_available() <= 0:
return HttpResponseBadRequest() return HttpResponseBadRequest()

4
templates/front/details.html
View File

@ -232,6 +232,7 @@
{% endif %} {% endif %}
</div> </div>
{% if rw %}
<div class="details-block"> <div class="details-block">
<h2>Danger Zone</h2> <h2>Danger Zone</h2>
<p>Copy, Transfer, or permanently remove this check.</p> <p>Copy, Transfer, or permanently remove this check.</p>
@ -239,7 +240,6 @@
<div class="text-right"> <div class="text-right">
{% if project.num_checks_available > 0 %} {% if project.num_checks_available > 0 %}
<button <button
id="copy-btn"
data-toggle="modal" data-toggle="modal"
data-target="#copy-modal" data-target="#copy-modal"
class="btn btn-sm btn-default">Create a Copy&hellip;</button> class="btn btn-sm btn-default">Create a Copy&hellip;</button>
@ -260,7 +260,7 @@
class="btn btn-sm btn-default">Remove</button> class="btn btn-sm btn-default">Remove</button>
</div> </div>
</div> </div>
{% endif %}
</div> </div>
<div id="events" class="col-sm-7" data-status-url="{% url 'hc-status-single' check.code %}"> <div id="events" class="col-sm-7" data-status-url="{% url 'hc-status-single' check.code %}">