manager: don't respond with menu.json contents if there's not access (#57165)
This commit is contained in:
parent
0ba53a1d7d
commit
06291d148f
|
@ -26,7 +26,7 @@ from django.contrib import messages
|
|||
from django.core.exceptions import PermissionDenied
|
||||
from django.db import transaction
|
||||
from django.db.models import BooleanField, Count, Max, Min, Q, Value
|
||||
from django.http import Http404, HttpResponse, HttpResponseRedirect
|
||||
from django.http import Http404, HttpResponse, HttpResponseForbidden, HttpResponseRedirect
|
||||
from django.shortcuts import get_object_or_404, redirect, render
|
||||
from django.template.defaultfilters import title
|
||||
from django.template.loader import render_to_string
|
||||
|
@ -3188,6 +3188,10 @@ unavailability_calendar_add_unavailability = UnavailabilityCalendarAddUnavailabi
|
|||
|
||||
|
||||
def menu_json(request):
|
||||
if not request.user.is_staff:
|
||||
homepage_view = HomepageView(request=request)
|
||||
if not homepage_view.get_queryset().exists():
|
||||
return HttpResponseForbidden()
|
||||
label = _('Agendas')
|
||||
json_str = json.dumps(
|
||||
[
|
||||
|
|
|
@ -102,6 +102,21 @@ def test_menu_json(app, admin_user):
|
|||
assert resp2.content_type == 'application/javascript'
|
||||
|
||||
|
||||
def test_menu_json_manager(app, simple_user, manager_user):
|
||||
app.get('/manage/menu.json', status=302) # redirect to login
|
||||
|
||||
app = login(app, username='user', password='user')
|
||||
app.get('/manage/menu.json', status=403)
|
||||
|
||||
app = login(app, username='manager', password='manager')
|
||||
app.get('/manage/menu.json', status=403)
|
||||
|
||||
agenda = Agenda(label='Foo bar')
|
||||
agenda.view_role = manager_user.groups.all()[0]
|
||||
agenda.save()
|
||||
app.get('/manage/menu.json', status=200)
|
||||
|
||||
|
||||
def test_events_agenda_redirect(app, admin_user):
|
||||
agenda = Agenda.objects.create(label='Foo Bar', kind='events')
|
||||
|
||||
|
|
Loading…
Reference in New Issue