harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Access rights checks for team access stuff in profile page.

Browse Source
This commit is contained in:
Pēteris Caune 2016-05-14 12:51:10 +03:00
parent b725b5c4a5
commit 813c316888
4 changed files with 68 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hc/accounts/tests/test_profile.py
View File

@ -1,4 +1,3 @@
from django.contrib.auth.models import User
from django.core import mail
from hc.test import BaseTestCase
@ -78,6 +77,13 @@ class ProfileTestCase(BaseTestCase):
' alice@example.org on healthchecks.io')
self.assertEqual(mail.outbox[0].subject, subj)
def test_add_team_member_checks_team_access_allowed_flag(self):
self.client.login(username="charlie@example.org", password="password")
form = {"invite_team_member": "1", "email": "frank@example.org"}
r = self.client.post("/accounts/profile/", form)
assert r.status_code == 403
def test_it_removes_team_member(self):
self.client.login(username="alice@example.org", password="password")
@ -100,6 +106,13 @@ class ProfileTestCase(BaseTestCase):
self.alice.profile.refresh_from_db()
self.assertEqual(self.alice.profile.team_name, "Alpha Team")
def test_set_team_name_checks_team_access_allowed_flag(self):
self.client.login(username="charlie@example.org", password="password")
form = {"set_team_name": "1", "team_name": "Charlies Team"}
r = self.client.post("/accounts/profile/", form)
assert r.status_code == 403
def test_it_switches_to_own_team(self):
self.client.login(username="bob@example.org", password="password")

6
hc/accounts/views.py
View File

@ -149,6 +149,9 @@ def profile(request):
profile.save()
messages.info(request, "Your settings have been updated!")
elif "invite_team_member" in request.POST:
if not profile.team_access_allowed:
return HttpResponseForbidden()
form = InviteTeamMemberForm(request.POST)
if form.is_valid():
@ -174,6 +177,9 @@ def profile(request):
messages.info(request, "%s removed from team!" % email)
elif "set_team_name" in request.POST:
if not profile.team_access_allowed:
return HttpResponseForbidden()
form = TeamNameForm(request.POST)
if form.is_valid():
profile.team_name = form.cleaned_data["team_name"]

3
hc/test.py
View File

@ -9,12 +9,13 @@ class BaseTestCase(TestCase):
def setUp(self):
super(BaseTestCase, self).setUp()
# Alice is a normal user for tests
# Alice is a normal user for tests. Alice has team access enabled.
self.alice = User(username="alice", email="alice@example.org")
self.alice.set_password("password")
self.alice.save()
self.profile = Profile(user=self.alice, api_key="abc")
self.profile.team_access_allowed = True
self.profile.save()
# Bob is on Alice's team and should have access to her stuff

17
templates/accounts/profile.html
View File

@ -100,7 +100,6 @@
<div class="panel panel-default">
<div class="panel-body settings-block">
<h2>Team Access</h2>
{% if profile.team_access_allowed %}
{% if profile.member_set.count %}
<table class="table">
<tr>
@ -129,10 +128,17 @@
Share access to your checks and configured integrations
without having to share a login.
</p>
{% if not profile.team_access_allowed %}
<p>
To enable team access, please upgrade to
one of the <a href="{% url 'hc-pricing' %}">paid plans</a>.
</p>
{% endif %}
{% endif %}
<br />
{% if profile.team_access_allowed %}
<a
href="#"
class="btn btn-default"
@ -144,15 +150,6 @@
class="btn btn-primary pull-right"
data-toggle="modal"
data-target="#invite-team-member-modal">Invite a Team Member</a>
{% else %}
<p>
<strong>Invite team members to your account.</strong>
Share access to your checks and configured integrations
without having to share a login.</p>
<p>
To enable team access, please upgrade to
one of the <a href="{% url 'hc-pricing' %}">paid plans</a>.
</p>
{% endif %}
</div>
</div>