From 7f576c9bc86f5c953ded36b6afb55a00aab69777 Mon Sep 17 00:00:00 2001 From: james1293 Date: Wed, 24 Jul 2019 01:30:07 -0400 Subject: [PATCH] Delete perms: must be staff and in group (#82) * Delete perms: must be staff and in group * separate group check and staff check * test_del_list => test_del_list_not_in_list_group --- todo/tests/test_views.py | 14 +++++++------- todo/views/del_list.py | 4 +++- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/todo/tests/test_views.py b/todo/tests/test_views.py index 9ad05d6..ce35ed7 100644 --- a/todo/tests/test_views.py +++ b/todo/tests/test_views.py @@ -62,13 +62,6 @@ def test_view_list(todo_setup, admin_client): assert response.status_code == 200 -def test_del_list(todo_setup, admin_client): - tlist = TaskList.objects.get(slug="zip") - url = reverse("todo:del_list", kwargs={"list_id": tlist.id, "list_slug": tlist.slug}) - response = admin_client.get(url) - assert response.status_code == 200 - - def test_view_add_list(todo_setup, admin_client): url = reverse("todo:add_list") response = admin_client.get(url) @@ -182,6 +175,13 @@ def test_view_del_list_nonadmin(todo_setup, client): assert response.status_code == 302 # Fedirected to login +def test_del_list_not_in_list_group(todo_setup, admin_client): + tlist = TaskList.objects.get(slug="zip") + url = reverse("todo:del_list", kwargs={"list_id": tlist.id, "list_slug": tlist.slug}) + response = admin_client.get(url) + assert response.status_code == 403 + + def test_view_list_mine(todo_setup, client): """View a list in a group I belong to. """ diff --git a/todo/views/del_list.py b/todo/views/del_list.py index c4e044f..b423ddf 100644 --- a/todo/views/del_list.py +++ b/todo/views/del_list.py @@ -17,7 +17,9 @@ def del_list(request, list_id: int, list_slug: str) -> HttpResponse: # Ensure user has permission to delete list. Get the group this list belongs to, # and check whether current user is a member of that group AND a staffer. - if task_list.group not in request.user.groups.all() and not request.user.is_staff: + if task_list.group not in request.user.groups.all(): + raise PermissionDenied + if not request.user.is_staff: raise PermissionDenied if request.method == "POST":