Read-only users cannot add checks.

Read-only users cannot pause checks.
2020-08-26 12:29:03 +03:00 · 2020-08-26 12:29:03 +03:00 · 11d8e6197c
commit 11d8e6197c
parent 00790dc33c
8 changed files with 43 additions and 0 deletions
--- a/hc/front/tests/test_add_check.py
+++ b/hc/front/tests/test_add_check.py
@ -32,6 +32,14 @@ class AddCheckTestCase(BaseTestCase):
        r = self.client.get(self.url)
        self.assertEqual(r.status_code, 405)

+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.post(self.url)
+        self.assertEqual(r.status_code, 403)
+
    def test_it_obeys_check_limit(self):
        self.profile.check_limit = 0
        self.profile.save()
--- a/hc/front/tests/test_details.py
+++ b/hc/front/tests/test_details.py
@ -55,4 +55,5 @@ class DetailsTestCase(BaseTestCase):

        self.assertNotContains(r, "edit-name", status_code=200)
        self.assertNotContains(r, "edit-desc")
+        self.assertNotContains(r, "pause-btn")
        self.assertNotContains(r, "Change Schedule")
--- a/hc/front/tests/test_my_checks.py
+++ b/hc/front/tests/test_my_checks.py
@ -17,6 +17,8 @@ class MyChecksTestCase(BaseTestCase):
            self.client.login(username=email, password="password")
            r = self.client.get(self.url)
            self.assertContains(r, "Alice Was Here", status_code=200)
+            # The pause button:
+            self.assertContains(r, "btn btn-default pause", status_code=200)

        # last_active_date should have been set
        self.profile.refresh_from_db()
@ -125,3 +127,15 @@ class MyChecksTestCase(BaseTestCase):
        self.client.login(username="alice@example.org", password="password")
        r = self.client.get(self.url)
        self.assertContains(r, """<div class="btn btn-xs grace ">foo</div>""")
+
+    def test_it_hides_actions_from_readonly_users(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.get(self.url)
+
+        self.assertNotContains(r, "Add Check", status_code=200)
+
+        # The pause button:
+        self.assertNotContains(r, "btn btn-default pause", status_code=200)
--- a/hc/front/tests/test_pause.py
+++ b/hc/front/tests/test_pause.py
@ -46,3 +46,11 @@ class PauseTestCase(BaseTestCase):
        self.client.login(username="alice@example.org", password="password")
        r = self.client.post(self.url, HTTP_X_REQUESTED_WITH="XMLHttpRequest")
        self.assertEqual(r.status_code, 200)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.post(self.url)
+        self.assertEqual(r.status_code, 403)
--- a/hc/front/views.py
+++ b/hc/front/views.py
@ -323,6 +323,9 @@ def docs_cron(request):
@login_required
 def add_check(request, code):
    project, rw = _get_project_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()
+
    if project.num_checks_available() <= 0:
        return HttpResponseBadRequest()

@ -461,6 +464,8 @@ def ping_details(request, code, n=None):
@login_required
 def pause(request, code):
    check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()

    check.status = "paused"
    check.last_start = None
--- a/templates/front/details.html
+++ b/templates/front/details.html
@ -129,6 +129,7 @@
                </tr>
            </table>
            <div class="text-right">
+                {% if rw %}
                <form action="{% url 'hc-pause' check.code %}" method="post">
                    {% csrf_token %}
                    <input
@ -137,6 +138,7 @@
                        {% if check.status == "paused" %}disabled{% endif %}
                        class="btn btn-sm btn-default" value="Pause" />
                </form>
+                {% endif %}

                <button
                    id="ping-now"
--- a/templates/front/my_checks.html
+++ b/templates/front/my_checks.html
@ -32,6 +32,8 @@
    {% endif %}
    </div>
 </div>
+
+{% if rw %}
 <div id="my-checks-bottom-actions" class="row">
    <div class="col-sm-12">
        {% if num_available > 0 %}
@ -57,6 +59,7 @@
        {% endif %}
    </div>
 </div>
+{% endif %}

 {% include "front/update_name_modal.html" %}
 {% include "front/update_timeout_modal.html" %}
--- a/templates/front/my_checks_desktop.html
+++ b/templates/front/my_checks_desktop.html
@ -126,9 +126,11 @@
            </div>
        </td>
        <td class="actions">
+            {% if rw %}
            <button class="btn btn-default pause" type="button">
                <span class="icon-paused" />
            </button>
+            {% endif %}

            <button title="Show Details" class="btn btn-default show-log" type="button">
                <span class="icon-dots" />