Custom perm decorator to raise 403

2018-03-26 23:49:25 -07:00 · 2018-03-26 23:49:25 -07:00 · dbc379da6a
commit dbc379da6a
parent f4d1da0ab7
1 changed files with 18 additions and 3 deletions
--- a/todo/views.py
+++ b/todo/views.py
@ -3,7 +3,6 @@ import datetime
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
-from django.contrib.admin.views.decorators import staff_member_required
 from django.contrib.auth.models import User
 from django.contrib.sites.models import Site
 from django.core.exceptions import PermissionDenied
@ -25,6 +24,22 @@ from todo.utils import (
    )


+def staff_only(function):
+    """
+    Custom view decorator allows us to raise 403 on insufficient permissions,
+    rather than redirect user to login view.
+    """
+    def wrap(request, *args, **kwargs):
+        if request.user.is_staff:
+            return function(request, *args, **kwargs)
+        else:
+            raise PermissionDenied
+
+    wrap.__doc__ = function.__doc__
+    wrap.__name__ = function.__name__
+    return wrap
+
+
@login_required
 def list_lists(request) -> HttpResponse:
    """Homepage view - list of lists a user can view, and ability to add a list.
@ -62,7 +77,7 @@ def list_lists(request) -> HttpResponse:
    return render(request, 'todo/list_lists.html', context)


-@staff_member_required
+@staff_only
@login_required
 def del_list(request, list_id: int, list_slug: str) -> HttpResponse:
    """Delete an entire list. Danger Will Robinson! Only staff members should be allowed to access this view.
@ -244,7 +259,7 @@ def reorder_tasks(request) -> HttpResponse:
    return HttpResponse(status=201)


-@staff_member_required
+@staff_only
@login_required
 def add_list(request) -> HttpResponse:
    """Allow users to add a new todo list to the group they're in.