Get settings from defaults everywhere, update tests and perms

2019-04-11 23:44:28 -07:00 · 2019-04-11 23:44:28 -07:00 · 1cd9700366
commit 1cd9700366
parent 7a4984dc35
6 changed files with 30 additions and 15 deletions
--- a/todo/tests/conftest.py
+++ b/todo/tests/conftest.py
@ -11,7 +11,7 @@ def todo_setup(django_user_model):

    g1 = Group.objects.create(name="Workgroup One")
    u1 = django_user_model.objects.create_user(
-        username="u1", password="password", email="u1@example.com"
+        username="u1", password="password", email="u1@example.com", is_staff=True
    )
    u1.groups.add(g1)
    tlist1 = TaskList.objects.create(group=g1, name="Zip", slug="zip")
@ -21,7 +21,7 @@ def todo_setup(django_user_model):

    g2 = Group.objects.create(name="Workgroup Two")
    u2 = django_user_model.objects.create_user(
-        username="u2", password="password", email="u2@example.com"
+        username="u2", password="password", email="u2@example.com", is_staff=True
    )
    u2.groups.add(g2)
    tlist2 = TaskList.objects.create(group=g2, name="Zap", slug="zap")
--- a/todo/tests/test_views.py
+++ b/todo/tests/test_views.py
@ -246,11 +246,17 @@ def test_setting_TODO_STAFF_ONLY_False(todo_setup, client, settings):
    assert response.status_code == 200


-def test_setting_TODO_STAFF_ONLY_True(todo_setup, client, settings):
-    # We use Django's user_passes_test to call `staff_check` utility function on all views.
-    # Just testing one view here; if it works, it works for all of them.
+def test_setting_TODO_STAFF_ONLY_True(todo_setup, client, settings, django_user_model):
+    # We use Django's user_passes_test to call `staff_check` utility function on some views.
+    # Just testing one view here...
    settings.TODO_STAFF_ONLY = True
    url = reverse("todo:lists")
+
+    # Remove staff privileges from user u2; they should not be able to access
+    u2 = django_user_model.objects.get(username="u2")
+    u2.is_staff = False
+    u2.save()
+
    client.login(username="u2", password="password")
    response = client.get(url)
    assert response.status_code == 302  # Redirected to login view
--- a/todo/utils.py
+++ b/todo/utils.py
@ -8,6 +8,7 @@ from django.contrib.sites.models import Site
 from django.core import mail
 from django.template.loader import render_to_string

+from todo.defaults import defaults
 from todo.models import Attachment, Comment, Task

 log = logging.getLogger(__name__)
@ -19,7 +20,7 @@ def staff_check(user):
        https://github.com/shacker/django-todo/issues/50
    """

-    if hasattr(settings, "TODO_STAFF_ONLY") and settings.TODO_STAFF_ONLY:
+    if defaults('TODO_STAFF_ONLY'):
        return user.is_staff
    else:
        # If unset or False, allow all logged in users
@ -27,7 +28,7 @@ def staff_check(user):


 def user_can_read_task(task, user):
-    return task.task_list.group in user.groups.all() or user.is_staff
+    return task.task_list.group in user.groups.all() or user.is_superuser


 def todo_get_backend(task):
--- a/todo/views/external_add.py
+++ b/todo/views/external_add.py
@ -8,6 +8,7 @@ from django.http import HttpResponse
 from django.shortcuts import redirect, render
 from django.template.loader import render_to_string

+from todo.defaults import defaults
 from todo.forms import AddExternalTaskForm
 from todo.models import TaskList
 from todo.utils import staff_check
@ -24,6 +25,7 @@ def external_add(request) -> HttpResponse:
    """

    if not settings.TODO_DEFAULT_LIST_SLUG:
+        # We do NOT provide a default in defaults
        raise RuntimeError(
            "This feature requires TODO_DEFAULT_LIST_SLUG: in settings. See documentation."
        )
@ -41,7 +43,7 @@ def external_add(request) -> HttpResponse:
            task = form.save(commit=False)
            task.task_list = TaskList.objects.get(slug=settings.TODO_DEFAULT_LIST_SLUG)
            task.created_by = request.user
-            if settings.TODO_DEFAULT_ASSIGNEE:
+            if defaults('TODO_DEFAULT_ASSIGNEE'):
                task.assigned_to = User.objects.get(username=settings.TODO_DEFAULT_ASSIGNEE)
            task.save()

@ -69,7 +71,7 @@ def external_add(request) -> HttpResponse:
            messages.success(
                request, "Your trouble ticket has been submitted. We'll get back to you soon."
            )
-            return redirect(settings.TODO_PUBLIC_SUBMIT_REDIRECT)
+            return redirect(defaults("TODO_PUBLIC_SUBMIT_REDIRECT"))

    else:
        form = AddExternalTaskForm(initial={"priority": 999})
--- a/todo/views/list_detail.py
+++ b/todo/views/list_detail.py
@ -28,7 +28,7 @@ def list_detail(request, list_id=None, list_slug=None, view_completed=False) ->
    else:
        # Show a specific list, ensuring permissions.
        task_list = get_object_or_404(TaskList, id=list_id)
-        if task_list.group not in request.user.groups.all() and not request.user.is_staff:
+        if task_list.group not in request.user.groups.all() and not request.user.is_superuser:
            raise PermissionDenied
        tasks = Task.objects.filter(task_list=task_list.id)

--- a/todo/views/task_detail.py
+++ b/todo/views/task_detail.py
@ -11,7 +11,7 @@ from django.http import HttpResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse

-from todo.defaults import TODO_ALLOW_FILE_ATTACHMENTS, TODO_LIMIT_FILE_ATTACHMENTS
+from todo.defaults import defaults
 from todo.features import HAS_TASK_MERGE
 from todo.forms import AddEditTaskForm
 from todo.models import Attachment, Comment, Task
@ -53,7 +53,7 @@ def task_detail(request, task_id: int) -> HttpResponse:
    task = get_object_or_404(Task, pk=task_id)
    comment_list = Comment.objects.filter(task=task_id).order_by("-date")

-    # Ensure user has permission to view task. Admins can view all tasks.
+    # Ensure user has permission to view task. Superusers can view all tasks.
    # Get the group this task belongs to, and check whether current user is a member of that group.
    if not user_can_read_task(task, request.user):
        raise PermissionDenied
@ -120,15 +120,21 @@ def task_detail(request, task_id: int) -> HttpResponse:
    # Handle uploaded files
    if request.FILES.get("attachment_file_input"):
        file = request.FILES.get("attachment_file_input")
+
+        if file.size > defaults('TODO_MAXIMUM_ATTACHMENT_SIZE'):
+            messages.error(request, f"File exceeds maximum attachment size.")
+            return redirect("todo:task_detail", task_id=task.id)
+
        name, extension = os.path.splitext(file.name)

-        if extension not in TODO_LIMIT_FILE_ATTACHMENTS:
+        if extension not in defaults('TODO_LIMIT_FILE_ATTACHMENTS'):
            messages.error(request, f"This site does not allow upload of {extension} files.")
            return redirect("todo:task_detail", task_id=task.id)

        Attachment.objects.create(
            task=task, added_by=request.user, timestamp=datetime.datetime.now(), file=file
        )
+        messages.success(request, f"File attached successfully")
        return redirect("todo:task_detail", task_id=task.id)

    context = {
@ -137,8 +143,8 @@ def task_detail(request, task_id: int) -> HttpResponse:
        "form": form,
        "merge_form": merge_form,
        "thedate": thedate,
-        "comment_classes": getattr(settings, "TODO_COMMENT_CLASSES", []),
-        "attachments_enabled": TODO_ALLOW_FILE_ATTACHMENTS,
+        "comment_classes": defaults("TODO_COMMENT_CLASSES"),
+        "attachments_enabled": defaults('TODO_ALLOW_FILE_ATTACHMENTS'),
    }

    return render(request, "todo/task_detail.html", context)