Read-only users cannot change project settings.

2020-08-26 15:04:12 +03:00 · 2020-08-26 15:04:12 +03:00 · adb004b333
commit adb004b333
parent 39198c827a
3 changed files with 36 additions and 10 deletions
--- a/hc/accounts/tests/test_project.py
+++ b/hc/accounts/tests/test_project.py
@ -212,3 +212,23 @@ class ProjectTestCase(BaseTestCase):
        r = self.client.get("/projects/%s/settings/" % p2.code)
        self.assertContains(r, "Add Users from Other Teams")
        self.assertContains(r, "bob@example.org")
+
+    def test_it_checks_rw_access_when_updating_project_name(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+
+        form = {"set_project_name": "1", "name": "Alpha Team"}
+        r = self.client.post(self.url, form)
+        self.assertEqual(r.status_code, 403)
+
+    def test_it_hides_actions_for_readonly_users(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+
+        r = self.client.get(self.url)
+        self.assertNotContains(r, "#set-project-name-modal", status_code=200)
+        self.assertNotContains(r, "Show API Keys")
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -246,25 +246,27 @@ def add_project(request):

@login_required
 def project(request, code):
-    if request.user.is_superuser:
-        q = Project.objects
-    else:
-        q = request.profile.projects()
-
-    try:
-        project = q.get(code=code)
-    except Project.DoesNotExist:
-        return HttpResponseNotFound()
-
+    project = get_object_or_404(Project, code=code)
    is_owner = project.owner_id == request.user.id
+
+    if request.user.is_superuser or is_owner:
+        rw = True
+    else:
+        membership = get_object_or_404(Member, project=project, user=request.user)
+        rw = membership.rw
+
    ctx = {
        "page": "project",
+        "rw": rw,
        "project": project,
        "is_owner": is_owner,
        "show_api_keys": "show_api_keys" in request.GET,
    }

    if request.method == "POST":
+        if not rw:
+            return HttpResponseForbidden()
+
        if "create_api_keys" in request.POST:
            project.set_api_keys()
            project.save()
--- a/templates/accounts/project.html
+++ b/templates/accounts/project.html
@ -59,11 +59,13 @@
            <div class="panel-body settings-block">
                <h2>Project Name</h2>
                {{ project }}
+                {% if rw %}
                <a
                    href="#"
                    class="btn btn-default pull-right"
                    data-toggle="modal"
                    data-target="#set-project-name-modal">Change Project Name</a>
+                {% endif %}
            </div>

           {% if project_name_updated %}
@ -110,10 +112,12 @@
                        API access is enabled.
                            {% csrf_token %}

+                            {% if rw %}
                            <button
                                type="submit"
                                name="show_api_keys"
                                class="btn btn-default pull-right">Show API Keys</button>
+                            {% endif %}
                        </form>
                    {% endif %}
                {% else %}