diff --git a/accounts/fixtures/moderation_test_users.json b/accounts/fixtures/moderation_test_users.json index f2565b17d..89a7d5ed8 100644 --- a/accounts/fixtures/moderation_test_users.json +++ b/accounts/fixtures/moderation_test_users.json @@ -21,6 +21,28 @@ "date_joined": "2011-03-01 15:43:05" } }, + { + "pk": null, + "model": "auth.user", + "fields": { + "username": "second_test_user", + "first_name": "", + "last_name": "", + "is_active": true, + "is_superuser": false, + "is_staff": false, + "last_login": "2011-03-01 15:43:05", + "groups": [ + + ], + "user_permissions": [ + + ], + "password": "pbkdf2_sha256$24000$aiyPNxcYNtkU$bU2xoxfjFH6/Mkfx+D5tXLshXsybPmRITi0ZjRWFIwI=", + "email": "test.user+4@gmail.com", + "date_joined": "2011-03-01 15:43:05" + } + }, { "pk": null, "model": "auth.user", diff --git a/tickets/tests.py b/tickets/tests.py index e41ebe22a..1f755828e 100644 --- a/tickets/tests.py +++ b/tickets/tests.py @@ -107,6 +107,30 @@ def _create_assigned_ticket(self): ticket_assignee=self.test_moderator) +class TicketAccessTest(TicketTests): + """Test that the expected users can view tickets""" + + def test_user_can_view_own_ticket(self): + """Test that a ticket can be viewed by the user who created it and by admins, + but not by anyone else.""" + ticket = self._create_assigned_ticket() + self.client.force_login(self.test_user) + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 200) + + self.client.force_login(self.test_moderator) + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 200) + + self.client.force_login(User.objects.get(username='second_test_user')) + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 404) + + self.client.logout() + resp = self.client.get(reverse('tickets-ticket', args=[ticket.key])) + self.assertEqual(resp.status_code, 302) + + class MiscTicketTests(TicketTests): def test_new_sound_tickets_count(self): diff --git a/tickets/urls.py b/tickets/urls.py index 1d6ccf425..4239c1279 100644 --- a/tickets/urls.py +++ b/tickets/urls.py @@ -75,10 +75,6 @@ views.ticket, name='tickets-ticket'), - path('/messages/', - views.sound_ticket_messages, - name='tickets-ticket-messages'), - path('moderation/whitelist//', views.whitelist_user, name='tickets-whitelist-user'), diff --git a/tickets/views.py b/tickets/views.py index 56c2640af..8ab8bf27a 100644 --- a/tickets/views.py +++ b/tickets/views.py @@ -28,7 +28,7 @@ from django.contrib.auth.models import User, Group from django.db import transaction from django.db.models import Count, Min, Q, F -from django.http import HttpResponseRedirect, JsonResponse +from django.http import HttpResponseRedirect, JsonResponse, Http404 from django.shortcuts import get_object_or_404, redirect from django.urls import reverse from general.tasks import whitelist_user as whitelist_user_task @@ -78,12 +78,16 @@ def is_selected(request, prefix): return False +@login_required def ticket(request, ticket_key): can_view_moderator_only_messages = _can_view_mod_msg(request) clean_status_forms = True clean_comment_form = True ticket = get_object_or_404(Ticket.objects.select_related('sound__license', 'sound__user'), key=ticket_key) + if not (ticket.sender == request.user or _can_view_mod_msg(request)): + raise Http404 + if request.method == 'POST': invalidate_user_template_caches(ticket.sender.id) @@ -205,14 +209,6 @@ def new_sound_tickets_count(): sound__processing_state='OK', status=TICKET_STATUS_NEW).count() -@login_required -def sound_ticket_messages(request, ticket_key): - can_view_moderator_only_messages = _can_view_mod_msg(request) - ticket = get_object_or_404(Ticket, key=ticket_key) - tvars = {"can_view_moderator_only_messages": can_view_moderator_only_messages, - "ticket": ticket} - return render(request, 'tickets/message_list.html', tvars) - def _get_new_uploaders_by_ticket():