front.views.status uses project_id not user.username

hc/front/tests/test_status.py

@@ -10,9 +10,11 @@ class MyChecksTestCase(BaseTestCase):
         self.check.tags = "foo"
         self.check.save()
 
+        self.url = "/projects/%s/checks/status/" % self.project.code
+
     def test_it_works(self):
         self.client.login(username="alice@example.org", password="password")
-        r = self.client.get("/teams/alice/checks/status/")
+        r = self.client.get(self.url)
         self.assertEqual(r.status_code, 200)
         doc = r.json()
 
@@ -28,7 +30,7 @@ class MyChecksTestCase(BaseTestCase):
         self.bobs_profile.save()
 
         self.client.login(username="bob@example.org", password="password")
-        r = self.client.get("/teams/alice/checks/status/")
+        r = self.client.get(self.url)
         self.assertEqual(r.status_code, 200)
 
     def test_it_checks_ownership(self):
@@ -36,5 +38,5 @@ class MyChecksTestCase(BaseTestCase):
         self.bobs_profile.save()
 
         self.client.login(username="charlie@example.org", password="password")
-        r = self.client.get("/teams/alice/checks/status/")
+        r = self.client.get(self.url)
         self.assertEqual(r.status_code, 404)

hc/front/urls.py

@@ -51,7 +51,7 @@ urlpatterns = [
     path('checks/', views.my_checks, name="hc-checks"),
     path('checks/add/', views.add_check, name="hc-add-check"),
     path('checks/cron_preview/', views.cron_preview),
-    path('teams/<str:username>/checks/status/', views.status, name="hc-status"),
+    path('projects/<uuid:code>/checks/status/', views.status, name="hc-status"),
     path('checks/<uuid:code>/', include(check_urls)),
     path('integrations/', include(channel_urls)),
 

hc/front/views.py

@@ -7,7 +7,7 @@ from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
 from django.core import signing
-from django.db.models import Count
+from django.db.models import Count, Q
 from django.http import (Http404, HttpResponse, HttpResponseBadRequest,
                          HttpResponseForbidden, JsonResponse)
 from django.shortcuts import get_object_or_404, redirect, render
@@ -17,6 +17,7 @@ from django.utils import timezone
 from django.utils.crypto import get_random_string
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST
+from hc.accounts.models import Project
 from hc.api.models import (DEFAULT_GRACE, DEFAULT_TIMEOUT, Channel, Check,
                            Ping, Notification)
 from hc.api.transports import Telegram
@@ -78,17 +79,16 @@ def _get_check_for_user(request, code):
         raise Http404("not found")
 
 
-def _has_access(request, username):
+def _has_access(request, project_code):
     """ Return true if current user has access to the specified account. """
 
-    if request.user.username == username:
-        return True
-
     if request.user.is_superuser:
         return True
 
-    q = request.user.memberships
+    is_owner = Q(owner_id=request.user.id)
-    return q.filter(project__owner__username=username).exists()
+    is_member = Q(member__user_id=request.user.id)
+    projects = Project.objects.filter(is_owner | is_member)
+    return projects.filter(code=project_code).exists()
 
 
 @login_required
@@ -144,11 +144,11 @@ def my_checks(request):
 
 
 @login_required
-def status(request, username):
+def status(request, code):
-    if not _has_access(request, username):
+    if not _has_access(request, code):
         raise Http404("not found")
 
-    checks = list(Check.objects.filter(project__owner__username=username))
+    checks = list(Check.objects.filter(project__code=code))
 
     details = []
     for check in checks:

templates/front/my_checks_desktop.html

@@ -2,7 +2,7 @@
 <table
     id="checks-table"
     class="table"
-    data-status-url="{% url 'hc-status' request.project.owner.username %}">
+    data-status-url="{% url 'hc-status' request.project.code %}">
     <tr>
         <th></th>
         <th class="th-name">