harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Read-only users cannot change project settings.

Browse Source
This commit is contained in:
Pēteris Caune 2020-08-26 15:04:12 +03:00
parent 39198c827a
commit adb004b333
No known key found for this signature in database
GPG Key ID: E28D7679E9A9EDE2
3 changed files with 36 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hc/accounts/tests/test_project.py
View File

@ -212,3 +212,23 @@ class ProjectTestCase(BaseTestCase):
r = self.client.get("/projects/%s/settings/" % p2.code) r = self.client.get("/projects/%s/settings/" % p2.code)
self.assertContains(r, "Add Users from Other Teams") self.assertContains(r, "Add Users from Other Teams")
self.assertContains(r, "bob@example.org") self.assertContains(r, "bob@example.org")
def test_it_checks_rw_access_when_updating_project_name(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="bob@example.org", password="password")
form = {"set_project_name": "1", "name": "Alpha Team"}
r = self.client.post(self.url, form)
self.assertEqual(r.status_code, 403)
def test_it_hides_actions_for_readonly_users(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="bob@example.org", password="password")
r = self.client.get(self.url)
self.assertNotContains(r, "#set-project-name-modal", status_code=200)
self.assertNotContains(r, "Show API Keys")

22
hc/accounts/views.py
View File

@ -246,25 +246,27 @@ def add_project(request):
@login_required @login_required
def project(request, code): def project(request, code):
if request.user.is_superuser: project = get_object_or_404(Project, code=code)
q = Project.objects
else:
q = request.profile.projects()
try:
project = q.get(code=code)
except Project.DoesNotExist:
return HttpResponseNotFound()
is_owner = project.owner_id == request.user.id is_owner = project.owner_id == request.user.id
if request.user.is_superuser or is_owner:
rw = True
else:
membership = get_object_or_404(Member, project=project, user=request.user)
rw = membership.rw
ctx = { ctx = {
"page": "project", "page": "project",
"rw": rw,
"project": project, "project": project,
"is_owner": is_owner, "is_owner": is_owner,
"show_api_keys": "show_api_keys" in request.GET, "show_api_keys": "show_api_keys" in request.GET,
} }
if request.method == "POST": if request.method == "POST":
if not rw:
return HttpResponseForbidden()
if "create_api_keys" in request.POST: if "create_api_keys" in request.POST:
project.set_api_keys() project.set_api_keys()
project.save() project.save()

4
templates/accounts/project.html
View File

@ -59,11 +59,13 @@
<div class="panel-body settings-block"> <div class="panel-body settings-block">
<h2>Project Name</h2> <h2>Project Name</h2>
{{ project }} {{ project }}
{% if rw %}
<a <a
href="#" href="#"
class="btn btn-default pull-right" class="btn btn-default pull-right"
data-toggle="modal" data-toggle="modal"
data-target="#set-project-name-modal">Change Project Name</a> data-target="#set-project-name-modal">Change Project Name</a>
{% endif %}
</div> </div>
{% if project_name_updated %} {% if project_name_updated %}
@ -110,10 +112,12 @@
API access is enabled. API access is enabled.
{% csrf_token %} {% csrf_token %}
{% if rw %}
<button <button
type="submit" type="submit"
name="show_api_keys" name="show_api_keys"
class="btn btn-default pull-right">Show API Keys</button> class="btn btn-default pull-right">Show API Keys</button>
{% endif %}
</form> </form>
{% endif %} {% endif %}
{% else %} {% else %}