Read-only users cannot toggle channels on and off.

2020-08-26 12:50:02 +03:00 · 2020-08-26 12:50:02 +03:00 · c9baa2d8eb
commit c9baa2d8eb
parent 024d0adb9c
5 changed files with 13 additions and 3 deletions
--- a/hc/front/tests/test_switch_channel.py
+++ b/hc/front/tests/test_switch_channel.py
@ -51,3 +51,11 @@ class SwitchChannelTestCase(BaseTestCase):
        self.client.login(username="bob@example.org", password="password")
        r = self.client.post(self.url, {"state": "on"})
        self.assertEqual(r.status_code, 200)
+
+    def test_it_requires_rw_access(self):
+        self.bobs_membership.rw = False
+        self.bobs_membership.save()
+
+        self.client.login(username="bob@example.org", password="password")
+        r = self.client.post(self.url, {"state": "on"})
+        self.assertEqual(r.status_code, 403)
--- a/hc/front/views.py
+++ b/hc/front/views.py
@ -230,6 +230,8 @@ def status(request, code):
@require_POST
 def switch_channel(request, code, channel_code):
    check, rw = _get_check_for_user(request, code)
+    if not rw:
+        return HttpResponseForbidden()

    channel = get_object_or_404(Channel, code=channel_code)
    if channel.project_id != check.project_id:
--- a/static/css/details.css
+++ b/static/css/details.css
@ -73,7 +73,7 @@
    background: #22bc66;
 }

-#details-integrations tr:hover th, #details-integrations tr:hover td {
+#details-integrations.rw tr:hover th, #details-integrations.rw tr:hover td {
    cursor: pointer;
    background-color: #f5f5f5;
 }
--- a/static/js/details.js
+++ b/static/js/details.js
@ -59,7 +59,7 @@ $(function () {
        }, 300);
    });

-    $("#details-integrations tr").click(function() {
+    $("#details-integrations.rw tr").click(function() {
        var isOn = $(this).toggleClass("on").hasClass("on");
        $(".label", this).text(isOn ? "ON" : "OFF");

--- a/templates/front/details.html
+++ b/templates/front/details.html
@ -206,7 +206,7 @@
        <div class="details-block">
            <h2>Notification Methods</h2>
            {% if channels %}
-            <table id="details-integrations" class="table">
+            <table id="details-integrations" class="table {% if rw %}rw{% endif %}">
            {% for channel in channels %}
                <tr data-url="{% url 'hc-switch-channel' check.code channel.code %}" {% if channel in enabled_channels %}class="on"{% endif %}>
                    <th>