More protection on pages that require authentication

2024-12-04 18:46:52 +00:00 · 2020-12-22 20:47:43 +01:00 · 2020-12-22 20:47:43 +01:00 · 205760f2e9
commit 205760f2e9
parent 8f742b8e14
3 changed files with 32 additions and 2 deletions
--- a/apps/participation/tests.py
+++ b/apps/participation/tests.py
@ -669,7 +669,7 @@ class TestStudentParticipation(TestCase):

    def test_forbidden_access(self):
        """
-        Load personnal pages and ensure that these are protected.
+        Load personal pages and ensure that these are protected.
        """
        self.user.registration.team = self.team
        self.user.registration.save()
--- a/apps/participation/views.py
+++ b/apps/participation/views.py
@ -39,6 +39,8 @@ class CreateTeamView(LoginRequiredMixin, CreateView):

    def dispatch(self, request, *args, **kwargs):
        user = request.user
+        if not user.is_authenticated:
+            return super().handle_no_permission()
        registration = user.registration
        if not registration.participates:
            raise PermissionDenied(_("You don't participate, so you can't create a team."))
@ -85,6 +87,8 @@ class JoinTeamView(LoginRequiredMixin, FormView):

    def dispatch(self, request, *args, **kwargs):
        user = request.user
+        if not user.is_authenticated:
+            return super().handle_no_permission()
        registration = user.registration
        if not registration.participates:
            raise PermissionDenied(_("You don't participate, so you can't create a team."))
@ -265,6 +269,8 @@ class TeamUpdateView(LoginRequiredMixin, UpdateView):

    def dispatch(self, request, *args, **kwargs):
        user = request.user
+        if not user.is_authenticated:
+            return super().handle_no_permission()
        if user.registration.is_admin or user.registration.participates and \
                user.registration.team and \
                user.registration.team.pk == kwargs["pk"]:
@ -299,6 +305,8 @@ class TeamAuthorizationsView(LoginRequiredMixin, DetailView):

    def dispatch(self, request, *args, **kwargs):
        user = request.user
+        if not user.is_authenticated:
+            return super().handle_no_permission()
        if user.registration.is_admin or user.registration.participates and user.registration.team.pk == kwargs["pk"]:
            return super().dispatch(request, *args, **kwargs)
        raise PermissionDenied
@ -377,6 +385,8 @@ class ParticipationDetailView(LoginRequiredMixin, DetailView):

    def dispatch(self, request, *args, **kwargs):
        user = request.user
+        if not user.is_authenticated:
+            return super().handle_no_permission()
        if not self.get_object().valid:
            raise PermissionDenied(_("The team is not validated yet."))
        if user.registration.is_admin or user.registration.participates \
@ -501,6 +511,8 @@ class UploadVideoView(LoginRequiredMixin, UpdateView):

    def dispatch(self, request, *args, **kwargs):
        user = request.user
+        if not user.is_authenticated:
+            return super().handle_no_permission()
        if user.registration.is_admin or user.registration.participates \
                and user.registration.team.participation.pk == self.get_object().participation.pk:
            return super().dispatch(request, *args, **kwargs)
--- a/apps/registration/tests.py
+++ b/apps/registration/tests.py
@ -11,7 +11,7 @@ from django.urls import reverse
 from django.utils import timezone
 from django.utils.encoding import force_bytes
 from django.utils.http import urlsafe_base64_encode
-from participation.models import Phase
+from participation.models import Phase, Team

 from .models import AdminRegistration, CoachRegistration, StudentRegistration

@ -35,6 +35,24 @@ class TestIndexPage(TestCase):
        response = self.client.get(reverse("registration:user_detail", args=(1,)))
        self.assertRedirects(response, reverse("login") + "?next=" + reverse("registration:user_detail", args=(1,)))

+        Team.objects.create()
+        response = self.client.get(reverse("participation:team_detail", args=(1,)))
+        self.assertRedirects(response, reverse("login") + "?next=" + reverse("participation:team_detail", args=(1,)))
+        response = self.client.get(reverse("participation:update_team", args=(1,)))
+        self.assertRedirects(response, reverse("login") + "?next=" + reverse("participation:update_team", args=(1,)))
+        response = self.client.get(reverse("participation:create_team"))
+        self.assertRedirects(response, reverse("login") + "?next=" + reverse("participation:create_team"))
+        response = self.client.get(reverse("participation:join_team"))
+        self.assertRedirects(response, reverse("login") + "?next=" + reverse("participation:join_team"))
+        response = self.client.get(reverse("participation:team_authorizations", args=(1,)))
+        self.assertRedirects(response, reverse("login") + "?next="
+                             + reverse("participation:team_authorizations", args=(1,)))
+        response = self.client.get(reverse("participation:participation_detail", args=(1,)))
+        self.assertRedirects(response, reverse("login") + "?next="
+                             + reverse("participation:participation_detail", args=(1,)))
+        response = self.client.get(reverse("participation:upload_video", args=(1,)))
+        self.assertRedirects(response, reverse("login") + "?next=" + reverse("participation:upload_video", args=(1,)))
+

 class TestRegistration(TestCase):
    def setUp(self) -> None: