Raise permission denied on CreateView if you don't have the permission to create a sample instance, see #53

2025-06-21 01:48:21 +02:00 · 2020-08-13 15:20:15 +02:00
parent 71f6436d06
commit c466715e8a
15 changed files with 584 additions and 173 deletions
--- a/apps/permission/signals.py
+++ b/apps/permission/signals.py
@ -70,7 +70,7 @@ def pre_save_object(sender, instance, **kwargs):

        if not has_perm:
            raise PermissionDenied(
-                _("You don't have the permission to add this instance of model {app_label}.{model_name}.")
+                _("You don't have the permission to add an instance of model {app_label}.{model_name}.")
                .format(app_label=app_label, model_name=model_name, ))


--- a/apps/permission/tests/init.py
+++ b/apps/permission/tests/init.py
--- a/apps/permission/tests/test_permission_denied.py
+++ b/apps/permission/tests/test_permission_denied.py
@ -0,0 +1,150 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from datetime import timedelta
+
+from django.contrib.auth.models import User
+from django.test import TestCase
+from django.urls import reverse
+from django.utils import timezone
+from activity.models import Activity
+from member.models import Club, Membership
+from note.models import NoteUser
+from wei.models import WEIClub, Bus, WEIRegistration
+
+
+class TestPermissionDenied(TestCase):
+    """
+    Load some protected pages and check that we have 403 errors.
+    """
+    fixtures = ('initial',)
+
+    def setUp(self) -> None:
+        # Create sample user with no rights
+        self.user = User.objects.create(
+            username="toto",
+        )
+        NoteUser.objects.create(user=self.user)
+        self.client.force_login(self.user)
+
+    def test_consos(self):
+        response = self.client.get(reverse("note:consos"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_activity(self):
+        response = self.client.get(reverse("activity:activity_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_activity_entries(self):
+        activity = Activity.objects.create(
+            name="",
+            description="",
+            creater=self.user,
+            activity_type_id=1,
+            organizer_id=1,
+            attendees_club_id=1,
+            date_start=timezone.now(),
+            date_end=timezone.now(),
+        )
+        response = self.client.get(reverse("activity:activity_entry", kwargs=dict(pk=activity.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_invite_activity(self):
+        activity = Activity.objects.create(
+            name="",
+            description="",
+            creater=self.user,
+            activity_type_id=1,
+            organizer_id=1,
+            attendees_club_id=1,
+            date_start=timezone.now(),
+            date_end=timezone.now(),
+        )
+        response = self.client.get(reverse("activity:activity_invite", kwargs=dict(pk=activity.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_club(self):
+        response = self.client.get(reverse("member:club_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_add_member_club(self):
+        club = Club.objects.create()
+        response = self.client.get(reverse("member:club_add_member", kwargs=dict(club_pk=club.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_renew_membership(self):
+        club = Club.objects.create()
+        membership = Membership.objects.create(user=self.user, club=club)
+        response = self.client.get(reverse("member:club_renew_membership", kwargs=dict(pk=membership.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_weiclub(self):
+        response = self.client.get(reverse("wei:wei_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_wei_bus(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        response = self.client.get(reverse("wei:add_bus", kwargs=dict(pk=wei.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_wei_team(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        bus = Bus.objects.create(wei=wei)
+        response = self.client.get(reverse("wei:add_team", kwargs=dict(pk=bus.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_1a_weiregistration(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        response = self.client.get(reverse("wei:wei_register_1A", kwargs=dict(wei_pk=wei.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_old_weiregistration(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        response = self.client.get(reverse("wei:wei_register_2A", kwargs=dict(wei_pk=wei.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_validate_weiregistration(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        registration = WEIRegistration.objects.create(wei=wei, user=self.user, birth_date="2000-01-01")
+        response = self.client.get(reverse("wei:validate_registration", kwargs=dict(pk=registration.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_invoice(self):
+        response = self.client.get(reverse("treasury:invoice_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_list_invoices(self):
+        response = self.client.get(reverse("treasury:invoice_list"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_remittance(self):
+        response = self.client.get(reverse("treasury:remittance_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_list_remittance(self):
+        response = self.client.get(reverse("treasury:remittance_list"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_list_soge_credits(self):
+        response = self.client.get(reverse("treasury:soge_credits"))
+        self.assertEqual(response.status_code, 403)
--- a/apps/permission/tests/test_permission_queries.py
+++ b/apps/permission/tests/test_permission_queries.py
@ -10,7 +10,7 @@ from member.models import Club, Membership
 from note.models import NoteUser, Note, NoteClub, NoteSpecial
 from wei.models import WEIMembership, WEIRegistration, WEIClub, Bus, BusTeam

-from .models import Permission
+from ..models import Permission


 class PermissionQueryTestCase(TestCase):
--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@ -1,12 +1,14 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 from datetime import date

+from django.core.exceptions import PermissionDenied
 from django.db.models import Q
 from django.forms import HiddenInput
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
-from django.views.generic import UpdateView, TemplateView
+from django.views.generic import UpdateView, TemplateView, CreateView
 from member.models import Membership

 from .backends import PermissionBackend
@ -42,6 +44,30 @@ class ProtectQuerysetMixin:
        return form


+class ProtectedCreateView(CreateView):
+    """
+    Extends a CreateView to check is the user has the right to create a sample instance of the given Model.
+    If not, a 403 error is displayed.
+    """
+
+    def get_sample_object(self):
+        """
+        return a sample instance of the Model.
+        It should be valid (can be stored properly in database), but must not collide with existing data.
+        """
+        raise NotImplementedError
+
+    def dispatch(self, request, *args, **kwargs):
+        model_class = self.model
+        # noinspection PyProtectedMember
+        app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower()
+        perm = app_label + ".add_" + model_name
+        if not PermissionBackend.check_perm(request.user, perm, self.get_sample_object()):
+            raise PermissionDenied(_("You don't have the permission to add an instance of model "
+                                     "{app_label}.{model_name}.").format(app_label=app_label, model_name=model_name))
+        return super().dispatch(request, *args, **kwargs)
+
+
 class RightsView(TemplateView):
    template_name = "permission/all_rights.html"
    extra_context = {"title": _("Rights")}