working through permissions issues

author: Matthew Lemon <lemon@matthewlemon.com> 2020-05-27 16:21:51 +0100
committer: Matthew Lemon <lemon@matthewlemon.com> 2020-05-27 16:21:51 +0100
commit: fa674ad70439cea0de962b87e5ac4c4dc0fa16f7 (patch)
tree: 706da51c48601390fc2e186bbde470da56977136
parent: ed9a9be6e9daf58ef445047a85d0748fef53087f (diff)
6 files changed, 65 insertions, 13 deletions
diff --git a/ctrack/core/views.py b/ctrack/core/views.py
index 02f3db1..107458e 100644
--- a/ctrack/core/views.py
+++ b/ctrack/core/views.py
@@ -4,7 +4,7 @@ from django.shortcuts import render
 
 @login_required
 def home_page(request):
-    if request.user.is_stakeholder():
+    if request.user.is_stakeholder:
         return render(request, "pages/stakeholder_home.html")
     else:
         return render(request, "pages/home.html")
diff --git a/ctrack/organisations/views.py b/ctrack/organisations/views.py
index 2476453..7a1d105 100644
--- a/ctrack/organisations/views.py
+++ b/ctrack/organisations/views.py
@@ -1,6 +1,6 @@
 from typing import Any, Dict
 
-from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
 from django.db import transaction
 from django.urls import reverse_lazy
 from django.views.generic import CreateView, DetailView, ListView
@@ -33,12 +33,14 @@ class OrganisationCreate(LoginRequiredMixin, CreateView):
                 addresses.save()
         return super().form_valid(form)
 
-    def get_success_url(self) -> str:
+    def get_success_url(self):
         return reverse_lazy("organisations:detail", kwargs={"slug": self.object.slug})
 
 
-class OrganisationListView(LoginRequiredMixin, ListView):
+class OrganisationListView(PermissionRequiredMixin, LoginRequiredMixin, ListView):
     model = Organisation
+    raise_exeption = True
+    permission_denied_message = "Sorry. You are not authorised to view that page."
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
diff --git a/ctrack/users/models.py b/ctrack/users/models.py
index 688254f..052efd6 100644
--- a/ctrack/users/models.py
+++ b/ctrack/users/models.py
@@ -16,6 +16,7 @@ class User(AbstractUser):
     def get_absolute_url(self):
         return reverse("users:detail", kwargs={"username": self.username})
 
+    @property
     def is_stakeholder(self):
         if self.stakeholder is not None:
             return True
@@ -23,5 +24,5 @@ class User(AbstractUser):
             return False
 
     def get_organisation_name(self):
-        if self.is_stakeholder():
+        if self.is_stakeholder:
             return self.stakeholder.person.organisation.name
diff --git a/ctrack/users/tests/test_functional.py b/ctrack/users/tests/test_functional.py
index 1edb17e..74d72d0 100644
--- a/ctrack/users/tests/test_functional.py
+++ b/ctrack/users/tests/test_functional.py
@@ -15,7 +15,7 @@ from ctrack.users.models import User
 pytestmark = pytest.mark.django_db
 
 
-def test_regular_user_can_log_in(browser, person, live_server):
+def test_regular_user_can_log_in(browser, live_server):
 
     # Toss McBride is an OES user. He logs into the system...
     User.objects.create_user(username="toss", password="knob")
@@ -38,9 +38,7 @@ def test_regular_user_can_log_in(browser, person, live_server):
     ]
 
 
-def test_stakeholder_can_log_in_and_see_their_home(
-    browser, person, live_server, stakeholder
-):
+def test_stakeholder_can_log_in_and_see_their_home(browser, live_server, stakeholder):
     # Toss McBride is an OES user. He logs into the system...
 
     user = User.objects.create_user(username="toss", password="knob")
@@ -64,3 +62,21 @@ def test_stakeholder_can_log_in_and_see_their_home(
     assert "THIS IS A TEMPLATE FOR A STAKEHOLDER USER" in [
         m.text for m in type_user_message
     ]
+
+
+def test_stakeholder_can_log_in_but_receieved_permisson_denied_when_off_piste(
+    browser, live_server, stakeholder
+):
+    user = User.objects.create_user(username="toss", password="knob")
+    user.stakeholder = stakeholder
+    user.save()
+    browser.get(live_server + "/accounts/login")
+    browser.find_element_by_id("id_login").send_keys("toss")
+    browser.find_element_by_id("id_password").send_keys("knob")
+    browser.find_element_by_id("sign_in_button").submit()
+    time.sleep(1)
+    # Try to browser to Organisations list
+    browser.get(live_server + "/organisations")
+    assert "Sorry. You are not authorised to view that page." in [
+        x.text for x in browser.find_elements_by_tag_name("p")
+    ]
diff --git a/ctrack/users/tests/test_models.py b/ctrack/users/tests/test_models.py
index 402c41b..368be34 100644
--- a/ctrack/users/tests/test_models.py
+++ b/ctrack/users/tests/test_models.py
@@ -24,6 +24,6 @@ def test_stakeholder_model(person, user):
     stakeholder = Stakeholder(person=person)
     org = person.organisation.name
     user.stakeholder = stakeholder
-    assert user.stakeholder.person.first_name == "Chinaplate"
-    assert user.is_stakeholder() is True
+    assert user.stakeholder.person.first_name == "Toss"
+    assert user.is_stakeholder is True
     assert user.get_organisation_name() == org
diff --git a/ctrack/users/tests/test_views.py b/ctrack/users/tests/test_views.py
index 6f458a3..ae7fbd7 100644
--- a/ctrack/users/tests/test_views.py
+++ b/ctrack/users/tests/test_views.py
@@ -68,7 +68,7 @@ def test_profile_view_contains_organisation_information(
 
     assert response.status_code == 200
     assert response.context_data["user"].username == user.username
-    assert response.context_data["user"].is_stakeholder() is True
+    assert response.context_data["user"].is_stakeholder is True
     assert response.context_data["user"].stakeholder.person.first_name == "Toss"
 
     # Two ways of getting the organisaton name
@@ -110,7 +110,7 @@ def test_regular_user_redirected_to_their_template_on_login(
 
 
 def test_stakeholder_redirected_to_their_template_on_login(
-    django_user_model, person, request_factory: RequestFactory, stakeholder
+    django_user_model, request_factory: RequestFactory, stakeholder
 ):
     """
     When a user logs in WITH a stakeholder mapping, they get sent to the stakehoder user
@@ -124,3 +124,36 @@ def test_stakeholder_redirected_to_their_template_on_login(
     response = home_page(request)
     assert response.status_code == 200
     assert b"THIS IS A TEMPLATE FOR A STAKEHOLDER USER" in response.content
+
+
+def test_stakeholder_returns_is_stakeholder(
+    django_user_model, request_factory, stakeholder
+):
+    user = django_user_model.objects.create_user(username="toss", password="knob")
+    user.stakeholder = stakeholder
+    user.save()
+    request = request_factory.get("/")
+    request.user = user
+    assert request.user.is_stakeholder is True
+
+
+def test_stakeholder_user_is_not_staff(django_user_model, stakeholder):
+    user = django_user_model.objects.create_user(username="toss", password="knob")
+    user.stakeholder = stakeholder
+    user.save()
+    assert user.is_staff is False
+
+
+def test_user_received_persmission_denied_when_accessing_disallowed_page(
+    django_user_model, request_factory, stakeholder
+):
+    user = django_user_model.objects.create_user(username="toss", password="knob")
+    user.stakeholder = stakeholder
+    user.save()
+    assert user.has_perm("ctrack.organisations.view_organisation") is True
+    user.user_permissions.clear()
+    assert user.has_perm("ctrack.organisations.view_organisation") is False
+    request = request_factory.get("/organisations")
+    request.user = user
+    response = home_page(request)
+    assert response.status_code == 403
author	Matthew Lemon <lemon@matthewlemon.com>	2020-05-27 16:21:51 +0100
committer	Matthew Lemon <lemon@matthewlemon.com>	2020-05-27 16:21:51 +0100
commit	fa674ad70439cea0de962b87e5ac4c4dc0fa16f7 (patch)
tree	706da51c48601390fc2e186bbde470da56977136
parent	ed9a9be6e9daf58ef445047a85d0748fef53087f (diff)