Only show tickets to the user who created it, or moderators

accounts/fixtures/moderation_test_users.json

@@ -21,6 +21,28 @@
       "date_joined": "2011-03-01 15:43:05"
     }
   },
+  {
+    "pk": null,
+    "model": "auth.user",
+    "fields": {
+      "username": "second_test_user",
+      "first_name": "",
+      "last_name": "",
+      "is_active": true,
+      "is_superuser": false,
+      "is_staff": false,
+      "last_login": "2011-03-01 15:43:05",
+      "groups": [
+
+      ],
+      "user_permissions": [
+
+      ],
+      "password": "pbkdf2_sha256$24000$aiyPNxcYNtkU$bU2xoxfjFH6/Mkfx+D5tXLshXsybPmRITi0ZjRWFIwI=",
+      "email": "[email protected]",
+      "date_joined": "2011-03-01 15:43:05"
+    }
+  },
   {
     "pk": null,
     "model": "auth.user",

tickets/tests.py

@@ -107,6 +107,30 @@ def _create_assigned_ticket(self):
                                    ticket_assignee=self.test_moderator)
 
 
+class TicketAccessTest(TicketTests):
+    """Test that the expected users can view tickets"""
+
+    def test_user_can_view_own_ticket(self):
+        """Test that a ticket can be viewed by the user who created it and by admins,
+        but not by anyone else."""
+        ticket = self._create_assigned_ticket()
+        self.client.force_login(self.test_user)
+        resp = self.client.get(reverse('tickets-ticket', args=[ticket.key]))
+        self.assertEqual(resp.status_code, 200)
+
+        self.client.force_login(self.test_moderator)
+        resp = self.client.get(reverse('tickets-ticket', args=[ticket.key]))
+        self.assertEqual(resp.status_code, 200)
+
+        self.client.force_login(User.objects.get(username='second_test_user'))
+        resp = self.client.get(reverse('tickets-ticket', args=[ticket.key]))
+        self.assertEqual(resp.status_code, 404)
+
+        self.client.logout()
+        resp = self.client.get(reverse('tickets-ticket', args=[ticket.key]))
+        self.assertEqual(resp.status_code, 302)
+
+
 class MiscTicketTests(TicketTests):
 
     def test_new_sound_tickets_count(self):

tickets/urls.py

@@ -70,8 +70,4 @@
     path('<ticket_key>/',
         views.ticket,
         name='tickets-ticket'),
-
-    path('<ticket_key>/messages/',
-        views.sound_ticket_messages,
-        name='tickets-ticket-messages'),
 ]

tickets/views.py

@@ -28,7 +28,7 @@
 from django.contrib.auth.models import User, Group
 from django.db import transaction
 from django.db.models import Count, Min, Q, F
-from django.http import HttpResponseRedirect
+from django.http import HttpResponseRedirect, Http404
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from general.tasks import whitelist_user
@@ -84,12 +84,16 @@ def invalidate_all_moderators_header_cache():
         invalidate_user_template_caches(mod.id)
 
 
+@login_required
 def ticket(request, ticket_key):
     can_view_moderator_only_messages = _can_view_mod_msg(request)
     clean_status_forms = True
     clean_comment_form = True
     ticket = get_object_or_404(Ticket.objects.select_related('sound__license', 'sound__user'), key=ticket_key)
 
+    if not (ticket.sender == request.user or _can_view_mod_msg(request)):
+        raise Http404
+
     if request.method == 'POST':
 
         invalidate_user_template_caches(ticket.sender.id)
@@ -208,14 +212,6 @@ def new_sound_tickets_count():
                                      sound__processing_state='OK',
                                      status=TICKET_STATUS_NEW))
 
-@login_required
-def sound_ticket_messages(request, ticket_key):
-    can_view_moderator_only_messages = _can_view_mod_msg(request)
-    ticket = get_object_or_404(Ticket, key=ticket_key)
-    tvars = {"can_view_moderator_only_messages": can_view_moderator_only_messages,
-             "ticket": ticket}
-    return render(request, 'tickets/message_list.html', tvars)
-
 
 def _get_new_uploaders_by_ticket():