manager: don't respond with menu.json contents if there's not access (#57165)

chrono/manager/views.py

@@ -26,7 +26,7 @@ from django.contrib import messages
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import BooleanField, Count, Max, Min, Q, Value
-from django.http import Http404, HttpResponse, HttpResponseRedirect
+from django.http import Http404, HttpResponse, HttpResponseForbidden, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.template.defaultfilters import title
 from django.template.loader import render_to_string
@@ -3188,6 +3188,10 @@ unavailability_calendar_add_unavailability = UnavailabilityCalendarAddUnavailabi
 
 
 def menu_json(request):
+    if not request.user.is_staff:
+        homepage_view = HomepageView(request=request)
+        if not homepage_view.get_queryset().exists():
+            return HttpResponseForbidden()
     label = _('Agendas')
     json_str = json.dumps(
         [

tests/manager/test_all.py

@@ -102,6 +102,21 @@ def test_menu_json(app, admin_user):
     assert resp2.content_type == 'application/javascript'
 
 
+def test_menu_json_manager(app, simple_user, manager_user):
+    app.get('/manage/menu.json', status=302)  # redirect to login
+
+    app = login(app, username='user', password='user')
+    app.get('/manage/menu.json', status=403)
+
+    app = login(app, username='manager', password='manager')
+    app.get('/manage/menu.json', status=403)
+
+    agenda = Agenda(label='Foo bar')
+    agenda.view_role = manager_user.groups.all()[0]
+    agenda.save()
+    app.get('/manage/menu.json', status=200)
+
+
 def test_events_agenda_redirect(app, admin_user):
     agenda = Agenda.objects.create(label='Foo Bar', kind='events')