Only staff users should be given access to the RSS feeds

This commit is contained in:
Timothy Hobbs 2018-08-21 16:23:25 +02:00
parent 13539e3056
commit 58cc18d049
No known key found for this signature in database
GPG Key ID: 9CA9B3D779CEEDE7
2 changed files with 60 additions and 17 deletions

View File

@ -5,7 +5,8 @@ from django.urls import reverse
from django.test import TestCase from django.test import TestCase
from helpdesk import settings as helpdesk_settings from helpdesk import settings as helpdesk_settings
from helpdesk.tests.helpers import (get_staff_user, reload_urlconf, User, update_user_settings, delete_user_settings, create_ticket) from helpdesk.models import Queue
from helpdesk.tests.helpers import (get_staff_user, reload_urlconf, User, update_user_settings, delete_user_settings, create_ticket, print_response)
class KBDisabledTestCase(TestCase): class KBDisabledTestCase(TestCase):
@ -86,28 +87,69 @@ class StaffUsersOnlyTestCase(StaffUserTestCaseMixin, TestCase):
# Use default values # Use default values
HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE = False HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE = False
def test_non_staff(self): def setUp(self):
"""Non-staff users are correctly identified""" super().setUp()
self.non_staff_user = User.objects.create_user(username='henry.wensleydale', password='gouda', email='wensleydale@example.com')
def test_staff_user_detection(self):
"""Staff and non-staff users are correctly identified"""
from helpdesk.decorators import is_helpdesk_staff from helpdesk.decorators import is_helpdesk_staff
user = User.objects.create_user(username='henry.wensleydale', password='gouda', email='wensleydale@example.com') self.assertFalse(is_helpdesk_staff(self.non_staff_user))
self.assertTrue(is_helpdesk_staff(get_staff_user()))
self.assertFalse(is_helpdesk_staff(user)) def test_staff_can_access_dashboard(self):
"""When HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False,
def test_staff_only(self): staff users should be able to access the dashboard.
"""If HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False,
only staff users should be able to access the dashboard.
""" """
from helpdesk.decorators import is_helpdesk_staff from helpdesk.decorators import is_helpdesk_staff
user = get_staff_user() user = get_staff_user()
self.assertTrue(is_helpdesk_staff(user))
self.client.login(username=user.username, password='password') self.client.login(username=user.username, password='password')
response = self.client.get(reverse('helpdesk:dashboard'), follow=True) response = self.client.get(reverse('helpdesk:dashboard'), follow=True)
self.assertTemplateUsed(response, 'helpdesk/dashboard.html') self.assertTemplateUsed(response, 'helpdesk/dashboard.html')
def test_non_staff_cannot_access_dashboard(self):
"""When HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False,
non-staff users should not be able to access the dashboard.
"""
from helpdesk.decorators import is_helpdesk_staff
user = self.non_staff_user
self.client.login(username=user.username, password=user.password)
response = self.client.get(reverse('helpdesk:dashboard'), follow=True)
self.assertTemplateUsed(response, 'helpdesk/registration/login.html')
def test_staff_rss(self):
"""If HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False,
staff users should be able to access rss feeds.
"""
user = get_staff_user()
self.client.login(username=user.username, password='password')
response = self.client.get(reverse('helpdesk:rss_unassigned'), follow=True)
self.assertContains(response, 'Unassigned Open and Reopened tickets')
def test_non_staff_cannot_rss(self):
"""If HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False,
non-staff users should not be able to access rss feeds.
"""
user = self.non_staff_user
self.client.login(username=user.username, password='password')
queue = Queue.objects.create(
title="Foo",
slug="test_queue",
)
rss_urls = [
reverse('helpdesk:rss_user', args=[user.username]),
reverse('helpdesk:rss_user_queue', args=[user.username, 'test_queue']),
reverse('helpdesk:rss_queue', args=['test_queue']),
reverse('helpdesk:rss_unassigned'),
reverse('helpdesk:rss_activity'),
]
for rss_url in rss_urls:
response = self.client.get(rss_url, follow=True)
self.assertTemplateUsed(response, 'helpdesk/registration/login.html')
class CustomStaffUserTestCase(StaffUserTestCaseMixin, TestCase): class CustomStaffUserTestCase(StaffUserTestCaseMixin, TestCase):
@staticmethod @staticmethod

View File

@ -12,6 +12,7 @@ from django.contrib.auth.decorators import login_required
from django.contrib.auth import views as auth_views from django.contrib.auth import views as auth_views
from django.views.generic import TemplateView from django.views.generic import TemplateView
from helpdesk.decorators import helpdesk_staff_member_required
from helpdesk import settings as helpdesk_settings from helpdesk import settings as helpdesk_settings
from helpdesk.views import feeds, staff, public, kb from helpdesk.views import feeds, staff, public, kb
@ -162,23 +163,23 @@ urlpatterns += [
urlpatterns += [ urlpatterns += [
url(r'^rss/user/(?P<user_name>[^/]+)/$', url(r'^rss/user/(?P<user_name>[^/]+)/$',
login_required(feeds.OpenTicketsByUser()), helpdesk_staff_member_required(feeds.OpenTicketsByUser()),
name='rss_user'), name='rss_user'),
url(r'^rss/user/(?P<user_name>[^/]+)/(?P<queue_slug>[A-Za-z0-9_-]+)/$', url(r'^rss/user/(?P<user_name>[^/]+)/(?P<queue_slug>[A-Za-z0-9_-]+)/$',
login_required(feeds.OpenTicketsByUser()), helpdesk_staff_member_required(feeds.OpenTicketsByUser()),
name='rss_user_queue'), name='rss_user_queue'),
url(r'^rss/queue/(?P<queue_slug>[A-Za-z0-9_-]+)/$', url(r'^rss/queue/(?P<queue_slug>[A-Za-z0-9_-]+)/$',
login_required(feeds.OpenTicketsByQueue()), helpdesk_staff_member_required(feeds.OpenTicketsByQueue()),
name='rss_queue'), name='rss_queue'),
url(r'^rss/unassigned/$', url(r'^rss/unassigned/$',
login_required(feeds.UnassignedTickets()), helpdesk_staff_member_required(feeds.UnassignedTickets()),
name='rss_unassigned'), name='rss_unassigned'),
url(r'^rss/recent_activity/$', url(r'^rss/recent_activity/$',
login_required(feeds.RecentFollowUps()), helpdesk_staff_member_required(feeds.RecentFollowUps()),
name='rss_activity'), name='rss_activity'),
] ]