harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Read-only users cannot edit filtering rules.

Browse Source
This commit is contained in:
Pēteris Caune 2020-08-26 12:36:05 +03:00
parent 11d8e6197c
commit cbd7ffbffb
No known key found for this signature in database
GPG Key ID: E28D7679E9A9EDE2
4 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hc/front/tests/test_details.py
View File

@ -55,5 +55,6 @@ class DetailsTestCase(BaseTestCase):
self.assertNotContains(r, "edit-name", status_code=200) self.assertNotContains(r, "edit-name", status_code=200)
self.assertNotContains(r, "edit-desc") self.assertNotContains(r, "edit-desc")
self.assertNotContains(r, "Filtering Rules")
self.assertNotContains(r, "pause-btn") self.assertNotContains(r, "pause-btn")
self.assertNotContains(r, "Change Schedule") self.assertNotContains(r, "Change Schedule")

18
hc/front/tests/test_filtering_rules.py
View File

@ -20,7 +20,7 @@ class FilteringRulesTestCase(BaseTestCase):
} }
self.client.login(username="alice@example.org", password="password") self.client.login(username="alice@example.org", password="password")
r = self.client.post(self.url, data=payload,) r = self.client.post(self.url, data=payload)
self.assertRedirects(r, self.redirect_url) self.assertRedirects(r, self.redirect_url)
self.check.refresh_from_db() self.check.refresh_from_db()
@ -72,3 +72,19 @@ class FilteringRulesTestCase(BaseTestCase):
self.check.refresh_from_db() self.check.refresh_from_db()
self.assertFalse(self.check.manual_resume) self.assertFalse(self.check.manual_resume)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
payload = {
"subject": "SUCCESS",
"subject_fail": "ERROR",
"methods": "POST",
"manual_resume": "1",
"filter_by_subject": "yes",
}
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.url, payload)
self.assertEqual(r.status_code, 403)

3
hc/front/views.py
View File

@ -362,6 +362,9 @@ def update_name(request, code):
@login_required @login_required
def filtering_rules(request, code): def filtering_rules(request, code):
check, rw = _get_check_for_user(request, code) check, rw = _get_check_for_user(request, code)
if not rw:
return HttpResponseForbidden()
form = forms.FilteringRulesForm(request.POST) form = forms.FilteringRulesForm(request.POST)
if form.is_valid(): if form.is_valid():
check.subject = form.cleaned_data["subject"] check.subject = form.cleaned_data["subject"]

2
templates/front/details.html
View File

@ -95,10 +95,12 @@
</p> </p>
</div> </div>
<div class="text-right"> <div class="text-right">
{% if rw %}
<button <button
data-toggle="modal" data-toggle="modal"
data-target="#filtering-rules-modal" data-target="#filtering-rules-modal"
class="btn btn-sm btn-default">Filtering Rules&hellip;</button> class="btn btn-sm btn-default">Filtering Rules&hellip;</button>
{% endif %}
<button <button
data-toggle="modal" data-toggle="modal"
data-target="#show-usage-modal" data-target="#show-usage-modal"