From 58cc18d0490866c0d755037d2bb9006719dd4440 Mon Sep 17 00:00:00 2001 From: Timothy Hobbs Date: Tue, 21 Aug 2018 16:23:25 +0200 Subject: [PATCH] Only staff users should be given access to the RSS feeds --- helpdesk/tests/test_navigation.py | 66 +++++++++++++++++++++++++------ helpdesk/urls.py | 11 +++--- 2 files changed, 60 insertions(+), 17 deletions(-) diff --git a/helpdesk/tests/test_navigation.py b/helpdesk/tests/test_navigation.py index a402950c..c95225ff 100644 --- a/helpdesk/tests/test_navigation.py +++ b/helpdesk/tests/test_navigation.py @@ -5,7 +5,8 @@ from django.urls import reverse from django.test import TestCase from helpdesk import settings as helpdesk_settings -from helpdesk.tests.helpers import (get_staff_user, reload_urlconf, User, update_user_settings, delete_user_settings, create_ticket) +from helpdesk.models import Queue +from helpdesk.tests.helpers import (get_staff_user, reload_urlconf, User, update_user_settings, delete_user_settings, create_ticket, print_response) class KBDisabledTestCase(TestCase): @@ -86,28 +87,69 @@ class StaffUsersOnlyTestCase(StaffUserTestCaseMixin, TestCase): # Use default values HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE = False - def test_non_staff(self): - """Non-staff users are correctly identified""" + def setUp(self): + super().setUp() + self.non_staff_user = User.objects.create_user(username='henry.wensleydale', password='gouda', email='wensleydale@example.com') + + def test_staff_user_detection(self): + """Staff and non-staff users are correctly identified""" from helpdesk.decorators import is_helpdesk_staff - user = User.objects.create_user(username='henry.wensleydale', password='gouda', email='wensleydale@example.com') + self.assertFalse(is_helpdesk_staff(self.non_staff_user)) + self.assertTrue(is_helpdesk_staff(get_staff_user())) - self.assertFalse(is_helpdesk_staff(user)) - - def test_staff_only(self): - """If HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False, - only staff users should be able to access the dashboard. + def test_staff_can_access_dashboard(self): + """When HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False, + staff users should be able to access the dashboard. """ from helpdesk.decorators import is_helpdesk_staff user = get_staff_user() - - self.assertTrue(is_helpdesk_staff(user)) - self.client.login(username=user.username, password='password') response = self.client.get(reverse('helpdesk:dashboard'), follow=True) self.assertTemplateUsed(response, 'helpdesk/dashboard.html') + def test_non_staff_cannot_access_dashboard(self): + """When HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False, + non-staff users should not be able to access the dashboard. + """ + from helpdesk.decorators import is_helpdesk_staff + + user = self.non_staff_user + self.client.login(username=user.username, password=user.password) + response = self.client.get(reverse('helpdesk:dashboard'), follow=True) + self.assertTemplateUsed(response, 'helpdesk/registration/login.html') + + def test_staff_rss(self): + """If HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False, + staff users should be able to access rss feeds. + """ + user = get_staff_user() + self.client.login(username=user.username, password='password') + response = self.client.get(reverse('helpdesk:rss_unassigned'), follow=True) + self.assertContains(response, 'Unassigned Open and Reopened tickets') + + def test_non_staff_cannot_rss(self): + """If HELPDESK_ALLOW_NON_STAFF_TICKET_UPDATE is False, + non-staff users should not be able to access rss feeds. + """ + user = self.non_staff_user + self.client.login(username=user.username, password='password') + queue = Queue.objects.create( + title="Foo", + slug="test_queue", + ) + rss_urls = [ + reverse('helpdesk:rss_user', args=[user.username]), + reverse('helpdesk:rss_user_queue', args=[user.username, 'test_queue']), + reverse('helpdesk:rss_queue', args=['test_queue']), + reverse('helpdesk:rss_unassigned'), + reverse('helpdesk:rss_activity'), + ] + for rss_url in rss_urls: + response = self.client.get(rss_url, follow=True) + self.assertTemplateUsed(response, 'helpdesk/registration/login.html') + class CustomStaffUserTestCase(StaffUserTestCaseMixin, TestCase): @staticmethod diff --git a/helpdesk/urls.py b/helpdesk/urls.py index 6772da22..a347117f 100644 --- a/helpdesk/urls.py +++ b/helpdesk/urls.py @@ -12,6 +12,7 @@ from django.contrib.auth.decorators import login_required from django.contrib.auth import views as auth_views from django.views.generic import TemplateView +from helpdesk.decorators import helpdesk_staff_member_required from helpdesk import settings as helpdesk_settings from helpdesk.views import feeds, staff, public, kb @@ -162,23 +163,23 @@ urlpatterns += [ urlpatterns += [ url(r'^rss/user/(?P[^/]+)/$', - login_required(feeds.OpenTicketsByUser()), + helpdesk_staff_member_required(feeds.OpenTicketsByUser()), name='rss_user'), url(r'^rss/user/(?P[^/]+)/(?P[A-Za-z0-9_-]+)/$', - login_required(feeds.OpenTicketsByUser()), + helpdesk_staff_member_required(feeds.OpenTicketsByUser()), name='rss_user_queue'), url(r'^rss/queue/(?P[A-Za-z0-9_-]+)/$', - login_required(feeds.OpenTicketsByQueue()), + helpdesk_staff_member_required(feeds.OpenTicketsByQueue()), name='rss_queue'), url(r'^rss/unassigned/$', - login_required(feeds.UnassignedTickets()), + helpdesk_staff_member_required(feeds.UnassignedTickets()), name='rss_unassigned'), url(r'^rss/recent_activity/$', - login_required(feeds.RecentFollowUps()), + helpdesk_staff_member_required(feeds.RecentFollowUps()), name='rss_activity'), ]