perms: Remove the HIJACK_ALLOWED_USER_EMAILS settings

gip-inclusion · Dec 31, 2024 · 2257bf6 · 2257bf6
1 parent c757c2d
commit 2257bf6
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 32 deletions.
diff --git a/config/settings/base.py b/config/settings/base.py
@@ -605,7 +605,6 @@
 AWS_S3_ENDPOINT_URL = f"https://{os.getenv('CELLAR_ADDON_HOST')}/"
 
 HIJACK_PERMISSION_CHECK = "itou.utils.perms.user.has_hijack_perm"
-HIJACK_ALLOWED_USER_EMAILS = [s.lower() for s in os.getenv("HIJACK_ALLOWED_USER_EMAILS", "").split(",") if s]
 # Replaced by ACCOUNT_ADAPTER (see above) for general purpose. We still need it to redirect after hijack
 LOGIN_REDIRECT_URL = "/dashboard/"
 

diff --git a/itou/utils/perms/user.py b/itou/utils/perms/user.py
@@ -1,6 +1,5 @@
 import logging
 
-from django.conf import settings
 from hijack import signals
 
 
@@ -20,9 +19,7 @@ def has_hijack_perm(*, hijacker, hijacked):
         return True
 
     # Only whitelisted staff members can hijack other accounts
-    if hijacker.is_staff and (
-        hijacker.has_perm("users.hijack_user") or hijacker.email.lower() in settings.HIJACK_ALLOWED_USER_EMAILS
-    ):
+    if hijacker.is_staff and hijacker.has_perm("users.hijack_user"):
         return True
 
     return False

diff --git a/tests/utils/perms/tests.py b/tests/utils/perms/tests.py
@@ -2,7 +2,6 @@
 
 import pytest
 from django.contrib.auth.models import Permission
-from django.test import override_settings
 from django.urls import reverse
 from pytest_django.asserts import assertRedirects
 
@@ -56,13 +55,6 @@ def test_disallowed_hijackers(self, client):
         response = client.post(reverse("hijack:acquire"), {"user_pk": hijacked.pk, "next": "/foo/"})
         assert response.status_code == 403
 
-        with override_settings(HIJACK_ALLOWED_USER_EMAILS=["[email protected]", "[email protected]"]):
-            # active staff but not superuser and email not in the whitelist
-            hijacker = ItouStaffFactory(email="[email protected]")
-            client.force_login(hijacker)
-            response = client.post(reverse("hijack:acquire"), {"user_pk": hijacked.pk, "next": "/foo/"})
-            assert response.status_code == 403
-
     @pytest.mark.parametrize("param", ["is_active", "is_superuser", "is_staff"])
     def test_disallowed_hijacked(self, client, param):
         hijacker = ItouStaffFactory(is_superuser=True)
@@ -72,23 +64,6 @@ def test_disallowed_hijacked(self, client, param):
         response = client.post(reverse("hijack:acquire"), {"user_pk": hijacked.pk, "next": "/foo/"})
         assert response.status_code == 403
 
-    def test_allowed_staff_hijacker(self, client, caplog, settings):
-        settings.HIJACK_ALLOWED_USER_EMAILS = ["[email protected]", "[email protected]"]
-        hijacked = PrescriberFactory()
-        hijacker = ItouStaffFactory(email="[email protected]")
-        client.force_login(hijacker)
-
-        response = client.post(reverse("hijack:acquire"), {"user_pk": hijacked.pk, "next": "/foo/"})
-        assert response.status_code == 302
-        assert response["Location"] == "/foo/"
-        assert caplog.records[0].message == f"admin={hijacker} has started impersonation of user={hijacked}"
-        caplog.clear()
-
-        response = client.post(reverse("hijack:release"), {"user_pk": hijacked.pk, "next": "/bar/"})
-        assert response.status_code == 302
-        assert response["Location"] == "/bar/"
-        assert caplog.records[0].message == f"admin={hijacker} has ended impersonation of user={hijacked}"
-
     def test_permission_staff_hijacker(self, client, caplog):
         hijacked = PrescriberFactory()
         hijacker = ItouStaffFactory(is_staff=True)
@@ -107,9 +82,8 @@ def test_permission_staff_hijacker(self, client, caplog):
         assert caplog.records[0].message == f"admin={hijacker} has ended impersonation of user={hijacked}"
 
     def test_allowed_django_prescriber(self, client, caplog, settings):
-        settings.HIJACK_ALLOWED_USER_EMAILS = ["[email protected]", "[email protected]"]
         hijacked = PrescriberFactory(identity_provider=IdentityProvider.DJANGO)
-        hijacker = ItouStaffFactory(email="[email protected]")
+        hijacker = ItouStaffFactory(is_superuser=True)
         client.force_login(hijacker)
 
         response = client.post(reverse("hijack:acquire"), {"user_pk": hijacked.pk, "next": "/foo/"})