Access rights checks for team access stuff in profile page.

hc/accounts/tests/test_profile.py

@@ -1,4 +1,3 @@
-from django.contrib.auth.models import User
 from django.core import mail
 
 from hc.test import BaseTestCase
@@ -78,6 +77,13 @@ class ProfileTestCase(BaseTestCase):
                 ' alice@example.org on healthchecks.io')
         self.assertEqual(mail.outbox[0].subject, subj)
 
+    def test_add_team_member_checks_team_access_allowed_flag(self):
+        self.client.login(username="charlie@example.org", password="password")
+
+        form = {"invite_team_member": "1", "email": "frank@example.org"}
+        r = self.client.post("/accounts/profile/", form)
+        assert r.status_code == 403
+
     def test_it_removes_team_member(self):
         self.client.login(username="alice@example.org", password="password")
 
@@ -100,6 +106,13 @@ class ProfileTestCase(BaseTestCase):
         self.alice.profile.refresh_from_db()
         self.assertEqual(self.alice.profile.team_name, "Alpha Team")
 
+    def test_set_team_name_checks_team_access_allowed_flag(self):
+        self.client.login(username="charlie@example.org", password="password")
+
+        form = {"set_team_name": "1", "team_name": "Charlies Team"}
+        r = self.client.post("/accounts/profile/", form)
+        assert r.status_code == 403
+
     def test_it_switches_to_own_team(self):
         self.client.login(username="bob@example.org", password="password")
 

hc/accounts/views.py

@@ -149,6 +149,9 @@ def profile(request):
                 profile.save()
                 messages.info(request, "Your settings have been updated!")
         elif "invite_team_member" in request.POST:
+            if not profile.team_access_allowed:
+                return HttpResponseForbidden()
+
             form = InviteTeamMemberForm(request.POST)
             if form.is_valid():
 
@@ -174,6 +177,9 @@ def profile(request):
 
                 messages.info(request, "%s removed from team!" % email)
         elif "set_team_name" in request.POST:
+            if not profile.team_access_allowed:
+                return HttpResponseForbidden()
+
             form = TeamNameForm(request.POST)
             if form.is_valid():
                 profile.team_name = form.cleaned_data["team_name"]

hc/test.py

@@ -9,12 +9,13 @@ class BaseTestCase(TestCase):
     def setUp(self):
         super(BaseTestCase, self).setUp()
 
-        # Alice is a normal user for tests
+        # Alice is a normal user for tests. Alice has team access enabled.
         self.alice = User(username="alice", email="alice@example.org")
         self.alice.set_password("password")
         self.alice.save()
 
         self.profile = Profile(user=self.alice, api_key="abc")
+        self.profile.team_access_allowed = True
         self.profile.save()
 
         # Bob is on Alice's team and should have access to her stuff

templates/accounts/profile.html

@@ -100,59 +100,56 @@
         <div class="panel panel-default">
             <div class="panel-body settings-block">
                 <h2>Team Access</h2>
-                {% if profile.team_access_allowed %}
+                {% if profile.member_set.count %}
-                    {% if profile.member_set.count %}
+                    <table class="table">
-                        <table class="table">
+                        <tr>
-                            <tr>
+                            <td>{{ profile.user.email }}</td>
-                                <td>{{ profile.user.email }}</td>
+                            <td>Owner</td>
-                                <td>Owner</td>
+                            <td></td>
-                                <td></td>
+                        </tr>
-                            </tr>
+                        {% for member in profile.member_set.all %}
-                            {% for member in profile.member_set.all %}
+                        <tr>
-                            <tr>
+                            <td>{{ member.user.email }} </td>
-                                <td>{{ member.user.email }} </td>
+                            <td>Member</td>
-                                <td>Member</td>
+                            <td>
-                                <td>
+                                <a
-                                    <a
+                                    href="#"
-                                        href="#"
+                                    data-email="{{ member.user.email }}"
-                                        data-email="{{ member.user.email }}"
+                                    class="pull-right member-remove">Remove</a>
-                                        class="pull-right member-remove">Remove</a>
+                            </td>
-                                </td>
+                        </tr>
-                            </tr>
+                        {% endfor %}
-                            {% endfor %}
+                    </table>
-                        </table>
-                    {% else %}
-                        <p>
-                            <strong>Invite team members to your account.</strong>
-                        </p>
-                        <p>
-                            Share access to your checks and configured integrations
-                            without having to share a login.
-                        </p>
-                    {% endif %}
-
-                    <br />
-
-                    <a
-                        href="#"
-                        class="btn btn-default"
-                        data-toggle="modal"
-                        data-target="#set-team-name-modal">Set Team Name</a>
-
-                    <a
-                        href="#"
-                        class="btn btn-primary pull-right"
-                        data-toggle="modal"
-                        data-target="#invite-team-member-modal">Invite a Team Member</a>
                 {% else %}
                     <p>
                         <strong>Invite team members to your account.</strong>
-                        Share access to your checks and configured integrations
-                        without having to share a login.</p>
-                    <p>
-                        To enable team access, please upgrade to
-                        one of the <a href="{% url 'hc-pricing' %}">paid plans</a>.
                     </p>
+                    <p>
+                        Share access to your checks and configured integrations
+                        without having to share a login.
+                    </p>
+                    {% if not profile.team_access_allowed %}
+                        <p>
+                            To enable team access, please upgrade to
+                            one of the <a href="{% url 'hc-pricing' %}">paid plans</a>.
+                        </p>
+                    {% endif %}
+                {% endif %}
+
+                <br />
+
+                {% if profile.team_access_allowed %}
+                <a
+                    href="#"
+                    class="btn btn-default"
+                    data-toggle="modal"
+                    data-target="#set-team-name-modal">Set Team Name</a>
+
+                <a
+                    href="#"
+                    class="btn btn-primary pull-right"
+                    data-toggle="modal"
+                    data-target="#invite-team-member-modal">Invite a Team Member</a>
                 {% endif %}
             </div>
         </div>