2 files changed, 12 insertions, 4 deletions

diff --git a/ctrack/organisations/views.py b/ctrack/organisations/views.py
index 1bccd3e..b929de4 100644
--- a/ctrack/organisations/views.py
+++ b/ctrack/organisations/views.py
@@ -41,11 +41,9 @@ class OrganisationCreate(LoginRequiredMixin, CreateView):
         return reverse_lazy("organisations:detail", kwargs={"slug": self.object.slug})
 
 
-class OrganisationListView(LoginRequiredMixin, UserPassesTestMixin, ListView):
+class OrganisationListView(LoginRequiredMixin, PermissionRequiredMixin, ListView):
     model = Organisation
-
-    def test_func(self):
-        return self.request.user.is_staff
+    permission_required = "organisations.view_organisation"
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
diff --git a/ctrack/users/tests/test_views.py b/ctrack/users/tests/test_views.py
index 6cbe9b6..ebc38d8 100644
--- a/ctrack/users/tests/test_views.py
+++ b/ctrack/users/tests/test_views.py
@@ -1,4 +1,5 @@
 import pytest
+from django.contrib.auth.models import Permission
 from django.test import RequestFactory
 
 from ctrack.core.views import home_page
@@ -156,3 +157,12 @@ def test_user_received_persmission_denied_when_accessing_disallowed_page(
     assert request.user.is_staff is False
     response = OrganisationListView.as_view()(request)
     assert response.status_code == 403
+
+
+def test_user_gets_403(django_user_model, client, stakeholder):
+    user = django_user_model.objects.create_user(username="toss", password="knob")
+    user.stakeholder = stakeholder
+    user.save()
+    client.login(username="toss", password="knob")
+    response = client.get(path="https://localhost:8000/organisations")
+    assert response.status_code == 403