Delete perms: must be staff and in group (#82)

* Delete perms: must be staff and in group

* separate group check and staff check

* test_del_list => test_del_list_not_in_list_group

todo/tests/test_views.py

@@ -62,13 +62,6 @@ def test_view_list(todo_setup, admin_client):
     assert response.status_code == 200
 
 
-def test_del_list(todo_setup, admin_client):
-    tlist = TaskList.objects.get(slug="zip")
-    url = reverse("todo:del_list", kwargs={"list_id": tlist.id, "list_slug": tlist.slug})
-    response = admin_client.get(url)
-    assert response.status_code == 200
-
-
 def test_view_add_list(todo_setup, admin_client):
     url = reverse("todo:add_list")
     response = admin_client.get(url)
@@ -182,6 +175,13 @@ def test_view_del_list_nonadmin(todo_setup, client):
     assert response.status_code == 302  # Fedirected to login
 
 
+def test_del_list_not_in_list_group(todo_setup, admin_client):
+    tlist = TaskList.objects.get(slug="zip")
+    url = reverse("todo:del_list", kwargs={"list_id": tlist.id, "list_slug": tlist.slug})
+    response = admin_client.get(url)
+    assert response.status_code == 403
+
+
 def test_view_list_mine(todo_setup, client):
     """View a list in a group I belong to.
     """

todo/views/del_list.py

@@ -17,7 +17,9 @@ def del_list(request, list_id: int, list_slug: str) -> HttpResponse:
 
     # Ensure user has permission to delete list. Get the group this list belongs to,
     # and check whether current user is a member of that group AND a staffer.
-    if task_list.group not in request.user.groups.all() and not request.user.is_staff:
+    if task_list.group not in request.user.groups.all():
+        raise PermissionDenied    
+    if not request.user.is_staff:
         raise PermissionDenied
 
     if request.method == "POST":