From 9168f2f153c5dcdc156ce4b58119108ed81b0e87 Mon Sep 17 00:00:00 2001 From: Alastair Porter Date: Tue, 19 Sep 2023 19:20:30 +0200 Subject: [PATCH] Only show tickets to the user who created it, or moderators --- accounts/fixtures/moderation_test_users.json | 22 ++++++++++++++++++ tickets/tests.py | 24 ++++++++++++++++++++ tickets/urls.py | 4 ---- tickets/views.py | 14 ++++-------- 4 files changed, 51 insertions(+), 13 deletions(-) diff --git a/accounts/fixtures/moderation_test_users.json b/accounts/fixtures/moderation_test_users.json index f2565b17d..89a7d5ed8 100644 --- a/accounts/fixtures/moderation_test_users.json +++ b/accounts/fixtures/moderation_test_users.json @@ -21,6 +21,28 @@ "date_joined": "2011-03-01 15:43:05" } }, + { + "pk": null, + "model": "auth.user", + "fields": { + "username": "second_test_user", + "first_name": "", + "last_name": "", + "is_active": true, + "is_superuser": false, + "is_staff": false, + "last_login": "2011-03-01 15:43:05", + "groups": [ + + ], + "user_permissions": [ + + ], + "password": "pbkdf2_sha256$24000$aiyPNxcYNtkU$bU2xoxfjFH6/Mkfx+D5tXLshXsybPmRITi0ZjRWFIwI=", + "email": "test.user+4@gmail.com", + "date_joined": "2011-03-01 15:43:05" + } + }, { "pk": null, "model": "auth.user", diff --git a/tickets/tests.py b/tickets/tests.py index e41ebe22a..1f755828e 100644 --- a/tickets/tests.py +++ b/tickets/tests.py @@ -107,6 +107,30 @@ def _create_assigned_ticket(self): ticket_assignee=self.test_moderator) +class TicketAccessTest(TicketTests): + """Test that the expected users can view tickets""" + + def test_user_can_view_own_ticket(self): + """Test that a ticket can be viewed by the user who created it and by admins, + but not by anyone else.""" + ticket = self._create_assigned_ticket() + self.client.force_login(self.test_user) + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 200) + + self.client.force_login(self.test_moderator) + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 200) + + self.client.force_login(User.objects.get(username='second_test_user')) + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 404) + + self.client.logout() + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 302) + + class MiscTicketTests(TicketTests): def test_new_sound_tickets_count(self): diff --git a/tickets/urls.py b/tickets/urls.py index 6b2bb8507..6792f1ec4 100644 --- a/tickets/urls.py +++ b/tickets/urls.py @@ -70,8 +70,4 @@ path('/', views.ticket, name='tickets-ticket'), - - path('/messages/', - views.sound_ticket_messages, - name='tickets-ticket-messages'), ] diff --git a/tickets/views.py b/tickets/views.py index a4f737bb5..b59dd6b3d 100644 --- a/tickets/views.py +++ b/tickets/views.py @@ -28,7 +28,7 @@ from django.contrib.auth.models import User, Group from django.db import transaction from django.db.models import Count, Min, Q, F -from django.http import HttpResponseRedirect +from django.http import HttpResponseRedirect, Http404 from django.shortcuts import get_object_or_404, redirect from django.urls import reverse from general.tasks import whitelist_user @@ -84,12 +84,16 @@ def invalidate_all_moderators_header_cache(): invalidate_user_template_caches(mod.id) +@login_required def ticket(request, ticket_key): can_view_moderator_only_messages = _can_view_mod_msg(request) clean_status_forms = True clean_comment_form = True ticket = get_object_or_404(Ticket.objects.select_related('sound__license', 'sound__user'), key=ticket_key) + if not (ticket.sender == request.user or _can_view_mod_msg(request)): + raise Http404 + if request.method == 'POST': invalidate_user_template_caches(ticket.sender.id) @@ -208,14 +212,6 @@ def new_sound_tickets_count(): sound__processing_state='OK', status=TICKET_STATUS_NEW)) -@login_required -def sound_ticket_messages(request, ticket_key): - can_view_moderator_only_messages = _can_view_mod_msg(request) - ticket = get_object_or_404(Ticket, key=ticket_key) - tvars = {"can_view_moderator_only_messages": can_view_moderator_only_messages, - "ticket": ticket} - return render(request, 'tickets/message_list.html', tvars) - def _get_new_uploaders_by_ticket():