Skip to content

Commit

Permalink
Delete perms: must be staff and in group (#82)
Browse files Browse the repository at this point in the history
* Delete perms: must be staff and in group

* separate group check and staff check

* test_del_list => test_del_list_not_in_list_group
  • Loading branch information
james1293 authored and shacker committed Jul 24, 2019
1 parent 21e0c6d commit 7f576c9
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 8 deletions.
14 changes: 7 additions & 7 deletions todo/tests/test_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -62,13 +62,6 @@ def test_view_list(todo_setup, admin_client):
assert response.status_code == 200


def test_del_list(todo_setup, admin_client):
tlist = TaskList.objects.get(slug="zip")
url = reverse("todo:del_list", kwargs={"list_id": tlist.id, "list_slug": tlist.slug})
response = admin_client.get(url)
assert response.status_code == 200


def test_view_add_list(todo_setup, admin_client):
url = reverse("todo:add_list")
response = admin_client.get(url)
Expand Down Expand Up @@ -182,6 +175,13 @@ def test_view_del_list_nonadmin(todo_setup, client):
assert response.status_code == 302 # Fedirected to login


def test_del_list_not_in_list_group(todo_setup, admin_client):
tlist = TaskList.objects.get(slug="zip")
url = reverse("todo:del_list", kwargs={"list_id": tlist.id, "list_slug": tlist.slug})
response = admin_client.get(url)
assert response.status_code == 403


def test_view_list_mine(todo_setup, client):
"""View a list in a group I belong to.
"""
Expand Down
4 changes: 3 additions & 1 deletion todo/views/del_list.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ def del_list(request, list_id: int, list_slug: str) -> HttpResponse:

# Ensure user has permission to delete list. Get the group this list belongs to,
# and check whether current user is a member of that group AND a staffer.
if task_list.group not in request.user.groups.all() and not request.user.is_staff:
if task_list.group not in request.user.groups.all():
raise PermissionDenied
if not request.user.is_staff:
raise PermissionDenied

if request.method == "POST":
Expand Down

0 comments on commit 7f576c9

Please sign in to comment.