forked from extern/django-helpdesk
Merge pull request #746 from CedricCarrard/fix/issue-#505
Fixed #505 -- Remove infinite loop with user_passes_test
This commit is contained in:
Garret Wassermann
GitHub
commit
671cdd19c3
@ -1,9 +1,12 @@
|
||||
from functools import wraps
|
||||
|
||||
from django.urls import reverse
|
||||
from django.http import HttpResponseRedirect, Http404
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.http import Http404
|
||||
from django.shortcuts import redirect
|
||||
|
||||
from django.utils.decorators import available_attrs
|
||||
|
||||
|
||||
from helpdesk import settings as helpdesk_settings
|
||||
|
||||
|
||||
@ -15,9 +18,41 @@ def protect_view(view_func):
|
||||
@wraps(view_func, assigned=available_attrs(view_func))
|
||||
def _wrapped_view(request, *args, **kwargs):
|
||||
if not request.user.is_authenticated and helpdesk_settings.HELPDESK_REDIRECT_TO_LOGIN_BY_DEFAULT:
|
||||
return HttpResponseRedirect(reverse('helpdesk:login'))
|
||||
return redirect('helpdesk:login')
|
||||
elif not request.user.is_authenticated and helpdesk_settings.HELPDESK_ANON_ACCESS_RAISES_404:
|
||||
raise Http404
|
||||
return view_func(request, *args, **kwargs)
|
||||
|
||||
return _wrapped_view
|
||||
|
||||
|
||||
def staff_member_required(view_func):
|
||||
"""
|
||||
Decorator for staff member the views checking user, redirecting
|
||||
to the log-in page if necessary or returning 403
|
||||
"""
|
||||
@wraps(view_func, assigned=available_attrs(view_func))
|
||||
def _wrapped_view(request, *args, **kwargs):
|
||||
if not request.user.is_authenticated and not request.user.is_active:
|
||||
return redirect('helpdesk:login')
|
||||
if not helpdesk_settings.HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE and not request.user.is_staff:
|
||||
raise PermissionDenied()
|
||||
return view_func(request, *args, **kwargs)
|
||||
|
||||
return _wrapped_view
|
||||
|
||||
|
||||
def superuser_required(view_func):
|
||||
"""
|
||||
Decorator for superuser member the views checking user, redirecting
|
||||
to the log-in page if necessary or returning 403
|
||||
"""
|
||||
@wraps(view_func, assigned=available_attrs(view_func))
|
||||
def _wrapped_view(request, *args, **kwargs):
|
||||
if not request.user.is_authenticated and not request.user.is_active:
|
||||
return redirect('helpdesk:login')
|
||||
if not request.user.is_superuser:
|
||||
raise PermissionDenied()
|
||||
return view_func(request, *args, **kwargs)
|
||||
|
||||
return _wrapped_view
|
||||
|
||||
@ -5,12 +5,18 @@ from django.contrib.auth import get_user_model
|
||||
User = get_user_model()
|
||||
|
||||
|
||||
def get_staff_user(username='helpdesk.staff', password='password'):
|
||||
def get_user(username='helpdesk.staff',
|
||||
password='password',
|
||||
is_staff=False,
|
||||
is_superuser=False):
|
||||
try:
|
||||
user = User.objects.get(username=username)
|
||||
except User.DoesNotExist:
|
||||
user = User.objects.create_user(username=username, password=password, email='staff@example.com')
|
||||
user.is_staff = True
|
||||
user = User.objects.create_user(username=username,
|
||||
password=password,
|
||||
email='%s@example.com' % username)
|
||||
user.is_staff = is_staff
|
||||
user.is_superuser = is_superuser
|
||||
user.save()
|
||||
else:
|
||||
user.set_password(password)
|
||||
|
||||
@ -3,7 +3,7 @@ from django.urls import reverse
|
||||
from django.test import TestCase
|
||||
|
||||
from helpdesk.models import KBCategory
|
||||
from helpdesk.tests.helpers import get_staff_user, reload_urlconf
|
||||
from helpdesk.tests.helpers import get_user, reload_urlconf
|
||||
|
||||
|
||||
class TestKBDisabled(TestCase):
|
||||
@ -26,7 +26,7 @@ class TestKBDisabled(TestCase):
|
||||
"""Test proper rendering of navigation.html by accessing the dashboard"""
|
||||
from django.urls import NoReverseMatch
|
||||
|
||||
self.client.login(username=get_staff_user().get_username(), password='password')
|
||||
self.client.login(username=get_user(is_staff=True).get_username(), password='password')
|
||||
self.assertRaises(NoReverseMatch, reverse, 'helpdesk:kb_index')
|
||||
try:
|
||||
response = self.client.get(reverse('helpdesk:dashboard'))
|
||||
@ -45,3 +45,48 @@ class TestKBDisabled(TestCase):
|
||||
response = self.client.get(reverse('helpdesk:home'))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertTemplateUsed(response, 'helpdesk/public_homepage.html')
|
||||
|
||||
|
||||
class TestDecorator(TestCase):
|
||||
|
||||
def test_staff_member_restrictions(self):
|
||||
user = get_user(username='helpdesk.user',
|
||||
password='password')
|
||||
|
||||
self.client.login(username=user.get_username(),
|
||||
password='password')
|
||||
response = self.client.get(reverse('helpdesk:list'))
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_staff_member_access(self):
|
||||
user = get_user(username='helpdesk.user',
|
||||
password='password',
|
||||
is_staff=True)
|
||||
|
||||
self.client.login(username=user.get_username(),
|
||||
password='password')
|
||||
response = self.client.get(reverse('helpdesk:list'))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertTemplateUsed(response, 'helpdesk/ticket_list.html')
|
||||
|
||||
def test_superuser_member_restrictions(self):
|
||||
user = get_user(username='helpdesk.superuser',
|
||||
password='password',
|
||||
is_staff=True)
|
||||
|
||||
self.client.login(username=user.get_username(),
|
||||
password='password')
|
||||
response = self.client.get(reverse('helpdesk:email_ignore'))
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_superuser_member_access(self):
|
||||
user = get_user(username='helpdesk.superuser',
|
||||
password='password',
|
||||
is_staff=True,
|
||||
is_superuser=True)
|
||||
|
||||
self.client.login(username=user.get_username(),
|
||||
password='password')
|
||||
response = self.client.get(reverse('helpdesk:email_ignore'))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertTemplateUsed(response, 'helpdesk/email_ignore_list.html')
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
from django.urls import reverse
|
||||
from django.test import TestCase
|
||||
from helpdesk.models import Queue
|
||||
from helpdesk.tests.helpers import get_staff_user
|
||||
from helpdesk.tests.helpers import get_user
|
||||
|
||||
|
||||
class TestSavingSharedQuery(TestCase):
|
||||
@ -14,7 +14,7 @@ class TestSavingSharedQuery(TestCase):
|
||||
def test_cansavequery(self):
|
||||
"""Can a query be saved"""
|
||||
url = reverse('helpdesk:savequery')
|
||||
self.client.login(username=get_staff_user().get_username(),
|
||||
self.client.login(username=get_user(is_staff=True).get_username(),
|
||||
password='password')
|
||||
response = self.client.post(
|
||||
url,
|
||||
|
||||
@ -13,10 +13,8 @@ import re
|
||||
from django import VERSION as DJANGO_VERSION
|
||||
from django.conf import settings
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.contrib.auth.decorators import user_passes_test
|
||||
from django.urls import reverse
|
||||
from django.core.exceptions import ValidationError, PermissionDenied
|
||||
from django.db import connection
|
||||
from django.db.models import Q
|
||||
from django.http import HttpResponseRedirect, Http404, HttpResponse
|
||||
from django.shortcuts import render, get_object_or_404
|
||||
@ -32,8 +30,9 @@ from helpdesk.forms import (
|
||||
TicketForm, UserSettingsForm, EmailIgnoreForm, EditTicketForm, TicketCCForm,
|
||||
TicketCCEmailForm, TicketCCUserForm, EditFollowUpForm, TicketDependencyForm
|
||||
)
|
||||
from helpdesk.decorators import staff_member_required, superuser_required
|
||||
from helpdesk.lib import (
|
||||
send_templated_mail, query_to_dict, apply_query, safe_template_context,
|
||||
send_templated_mail, apply_query, safe_template_context,
|
||||
process_attachments, queue_template_context,
|
||||
)
|
||||
from helpdesk.models import (
|
||||
@ -42,22 +41,10 @@ from helpdesk.models import (
|
||||
)
|
||||
from helpdesk import settings as helpdesk_settings
|
||||
|
||||
|
||||
User = get_user_model()
|
||||
|
||||
|
||||
if helpdesk_settings.HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE:
|
||||
# treat 'normal' users like 'staff'
|
||||
staff_member_required = user_passes_test(
|
||||
lambda u: u.is_authenticated and u.is_active)
|
||||
else:
|
||||
staff_member_required = user_passes_test(
|
||||
lambda u: u.is_authenticated and u.is_active and u.is_staff)
|
||||
|
||||
|
||||
superuser_required = user_passes_test(
|
||||
lambda u: u.is_authenticated and u.is_active and u.is_superuser)
|
||||
|
||||
|
||||
def _get_user_queues(user):
|
||||
"""Return the list of Queues the user can access.
|
||||
|
||||
@ -97,6 +84,7 @@ def _is_my_ticket(user, ticket):
|
||||
return False
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def dashboard(request):
|
||||
"""
|
||||
A quick summary overview for users: A list of their own tickets, a table
|
||||
@ -162,9 +150,7 @@ def dashboard(request):
|
||||
})
|
||||
|
||||
|
||||
dashboard = staff_member_required(dashboard)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def delete_ticket(request, ticket_id):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -181,9 +167,7 @@ def delete_ticket(request, ticket_id):
|
||||
return HttpResponseRedirect(reverse('helpdesk:home'))
|
||||
|
||||
|
||||
delete_ticket = staff_member_required(delete_ticket)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def followup_edit(request, ticket_id, followup_id):
|
||||
"""Edit followup options with an ability to change the ticket."""
|
||||
followup = get_object_or_404(FollowUp, id=followup_id)
|
||||
@ -236,9 +220,7 @@ def followup_edit(request, ticket_id, followup_id):
|
||||
return HttpResponseRedirect(reverse('helpdesk:view', args=[ticket.id]))
|
||||
|
||||
|
||||
followup_edit = staff_member_required(followup_edit)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def followup_delete(request, ticket_id, followup_id):
|
||||
"""followup delete for superuser"""
|
||||
|
||||
@ -251,9 +233,7 @@ def followup_delete(request, ticket_id, followup_id):
|
||||
return HttpResponseRedirect(reverse('helpdesk:view', args=[ticket.id]))
|
||||
|
||||
|
||||
followup_delete = staff_member_required(followup_delete)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def view_ticket(request, ticket_id):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -323,9 +303,6 @@ def view_ticket(request, ticket_id):
|
||||
})
|
||||
|
||||
|
||||
view_ticket = staff_member_required(view_ticket)
|
||||
|
||||
|
||||
def return_ticketccstring_and_show_subscribe(user, ticket):
|
||||
"""used in view_ticket() and followup_edit()"""
|
||||
# create the ticketcc_string and check whether current user is already
|
||||
@ -666,6 +643,7 @@ def return_to_ticket(user, helpdesk_settings, ticket):
|
||||
return HttpResponseRedirect(ticket.ticket_url)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def mass_update(request):
|
||||
tickets = request.POST.getlist('ticket_id')
|
||||
action = request.POST.get('action', None)
|
||||
@ -781,9 +759,7 @@ def mass_update(request):
|
||||
return HttpResponseRedirect(reverse('helpdesk:list'))
|
||||
|
||||
|
||||
mass_update = staff_member_required(mass_update)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def ticket_list(request):
|
||||
context = {}
|
||||
|
||||
@ -970,9 +946,7 @@ def ticket_list(request):
|
||||
))
|
||||
|
||||
|
||||
ticket_list = staff_member_required(ticket_list)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def edit_ticket(request, ticket_id):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -991,9 +965,7 @@ def edit_ticket(request, ticket_id):
|
||||
return render(request, 'helpdesk/edit_ticket.html', {'form': form})
|
||||
|
||||
|
||||
edit_ticket = staff_member_required(edit_ticket)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def create_ticket(request):
|
||||
if helpdesk_settings.HELPDESK_STAFF_ONLY_TICKET_OWNERS:
|
||||
assignable_users = User.objects.filter(is_active=True, is_staff=True).order_by(User.USERNAME_FIELD)
|
||||
@ -1030,9 +1002,7 @@ def create_ticket(request):
|
||||
return render(request, 'helpdesk/create_ticket.html', {'form': form})
|
||||
|
||||
|
||||
create_ticket = staff_member_required(create_ticket)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def raw_details(request, type):
|
||||
# TODO: This currently only supports spewing out 'PreSetReply' objects,
|
||||
# in the future it needs to be expanded to include other items. All it
|
||||
@ -1051,9 +1021,7 @@ def raw_details(request, type):
|
||||
raise Http404
|
||||
|
||||
|
||||
raw_details = staff_member_required(raw_details)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def hold_ticket(request, ticket_id, unhold=False):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -1082,23 +1050,17 @@ def hold_ticket(request, ticket_id, unhold=False):
|
||||
return HttpResponseRedirect(ticket.get_absolute_url())
|
||||
|
||||
|
||||
hold_ticket = staff_member_required(hold_ticket)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def unhold_ticket(request, ticket_id):
|
||||
return hold_ticket(request, ticket_id, unhold=True)
|
||||
|
||||
|
||||
unhold_ticket = staff_member_required(unhold_ticket)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def rss_list(request):
|
||||
return render(request, 'helpdesk/rss_list.html', {'queues': Queue.objects.all()})
|
||||
|
||||
|
||||
rss_list = staff_member_required(rss_list)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def report_index(request):
|
||||
number_tickets = Ticket.objects.all().count()
|
||||
saved_query = request.GET.get('saved_query', None)
|
||||
@ -1133,9 +1095,7 @@ def report_index(request):
|
||||
})
|
||||
|
||||
|
||||
report_index = staff_member_required(report_index)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def run_report(request, report):
|
||||
if Ticket.objects.all().count() == 0 or report not in (
|
||||
'queuemonth', 'usermonth', 'queuestatus', 'queuepriority', 'userstatus',
|
||||
@ -1339,9 +1299,7 @@ def run_report(request, report):
|
||||
})
|
||||
|
||||
|
||||
run_report = staff_member_required(run_report)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def save_query(request):
|
||||
title = request.POST.get('title', None)
|
||||
shared = request.POST.get('shared', False)
|
||||
@ -1358,9 +1316,7 @@ def save_query(request):
|
||||
return HttpResponseRedirect('%s?saved_query=%s' % (reverse('helpdesk:list'), query.id))
|
||||
|
||||
|
||||
save_query = staff_member_required(save_query)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def delete_saved_query(request, id):
|
||||
query = get_object_or_404(SavedSearch, id=id, user=request.user)
|
||||
|
||||
@ -1371,9 +1327,7 @@ def delete_saved_query(request, id):
|
||||
return render(request, 'helpdesk/confirm_delete_saved_query.html', {'query': query})
|
||||
|
||||
|
||||
delete_saved_query = staff_member_required(delete_saved_query)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def user_settings(request):
|
||||
s = request.user.usersettings_helpdesk
|
||||
if request.POST:
|
||||
@ -1387,18 +1341,14 @@ def user_settings(request):
|
||||
return render(request, 'helpdesk/user_settings.html', {'form': form})
|
||||
|
||||
|
||||
user_settings = staff_member_required(user_settings)
|
||||
|
||||
|
||||
@superuser_required
|
||||
def email_ignore(request):
|
||||
return render(request, 'helpdesk/email_ignore_list.html', {
|
||||
'ignore_list': IgnoreEmail.objects.all(),
|
||||
})
|
||||
|
||||
|
||||
email_ignore = superuser_required(email_ignore)
|
||||
|
||||
|
||||
@superuser_required
|
||||
def email_ignore_add(request):
|
||||
if request.method == 'POST':
|
||||
form = EmailIgnoreForm(request.POST)
|
||||
@ -1411,9 +1361,7 @@ def email_ignore_add(request):
|
||||
return render(request, 'helpdesk/email_ignore_add.html', {'form': form})
|
||||
|
||||
|
||||
email_ignore_add = superuser_required(email_ignore_add)
|
||||
|
||||
|
||||
@superuser_required
|
||||
def email_ignore_del(request, id):
|
||||
ignore = get_object_or_404(IgnoreEmail, id=id)
|
||||
if request.method == 'POST':
|
||||
@ -1423,9 +1371,7 @@ def email_ignore_del(request, id):
|
||||
return render(request, 'helpdesk/email_ignore_del.html', {'ignore': ignore})
|
||||
|
||||
|
||||
email_ignore_del = superuser_required(email_ignore_del)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def ticket_cc(request, ticket_id):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -1440,9 +1386,7 @@ def ticket_cc(request, ticket_id):
|
||||
})
|
||||
|
||||
|
||||
ticket_cc = staff_member_required(ticket_cc)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def ticket_cc_add(request, ticket_id):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -1468,9 +1412,7 @@ def ticket_cc_add(request, ticket_id):
|
||||
})
|
||||
|
||||
|
||||
ticket_cc_add = staff_member_required(ticket_cc_add)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def ticket_cc_del(request, ticket_id, cc_id):
|
||||
cc = get_object_or_404(TicketCC, ticket__id=ticket_id, id=cc_id)
|
||||
|
||||
@ -1481,9 +1423,7 @@ def ticket_cc_del(request, ticket_id, cc_id):
|
||||
return render(request, 'helpdesk/ticket_cc_del.html', {'cc': cc})
|
||||
|
||||
|
||||
ticket_cc_del = staff_member_required(ticket_cc_del)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def ticket_dependency_add(request, ticket_id):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -1506,9 +1446,7 @@ def ticket_dependency_add(request, ticket_id):
|
||||
})
|
||||
|
||||
|
||||
ticket_dependency_add = staff_member_required(ticket_dependency_add)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def ticket_dependency_del(request, ticket_id, dependency_id):
|
||||
dependency = get_object_or_404(TicketDependency, ticket__id=ticket_id, id=dependency_id)
|
||||
if request.method == 'POST':
|
||||
@ -1517,9 +1455,7 @@ def ticket_dependency_del(request, ticket_id, dependency_id):
|
||||
return render(request, 'helpdesk/ticket_dependency_del.html', {'dependency': dependency})
|
||||
|
||||
|
||||
ticket_dependency_del = staff_member_required(ticket_dependency_del)
|
||||
|
||||
|
||||
@staff_member_required
|
||||
def attachment_del(request, ticket_id, attachment_id):
|
||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||
if not _has_access_to_queue(request.user, ticket.queue):
|
||||
@ -1537,9 +1473,6 @@ def attachment_del(request, ticket_id, attachment_id):
|
||||
})
|
||||
|
||||
|
||||
attachment_del = staff_member_required(attachment_del)
|
||||
|
||||
|
||||
def calc_average_nbr_days_until_ticket_resolved(Tickets):
|
||||
nbr_closed_tickets = len(Tickets)
|
||||
days_per_ticket = 0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user