manager: let user with view permission access the events agenda page (#22245)

chrono/manager/views.py

@@ -360,6 +360,19 @@ class AgendaSettings(ManagedAgendaMixin, DetailView):
     template_name = 'chrono/manager_agenda_settings.html'
     model = Agenda
 
+    def dispatch(self, request, *args, **kwargs):
+        try:
+            self.agenda = Agenda.objects.get(id=kwargs.get('pk'))
+        except Agenda.DoesNotExist:
+            raise Http404()
+        if not self.agenda.can_be_managed(request.user):
+            # "events" agendas settings page can be access by user with the
+            # view permission as there are no other "view" page for this type
+            # of agenda.
+            if self.agenda.kind != 'events' or not self.agenda.can_be_viewed(request.user):
+                raise PermissionDenied()
+        return super(DetailView, self).dispatch(request, *args, **kwargs)
+
     def get_context_data(self, **kwargs):
         context = super(AgendaSettings, self).get_context_data(**kwargs)
         context['user_can_manage'] = self.get_object().can_be_managed(self.request.user)

tests/test_manager.py

@@ -119,8 +119,8 @@ def test_view_agendas_as_manager(app, manager_user):
     agenda.view_role = manager_user.groups.all()[0]
     agenda.save()
 
-    agenda = Agenda(label=u'Bar Foo')
-    agenda.save()
+    agenda2 = Agenda(label=u'Bar Foo')
+    agenda2.save()
 
     app = login(app, username='manager', password='manager')
     resp = app.get('/manage/', status=200)
@@ -128,7 +128,21 @@ def test_view_agendas_as_manager(app, manager_user):
     assert 'Bar Foo' not in resp.body
     assert 'New' not in resp.body
 
-    app.get('/manage/agendas/%s/' % agenda.id, status=403)
+    # check user doesn't have access
+    app.get('/manage/agendas/%s/' % agenda2.id, status=403)
+
+    # check view gives access to the settings page for "events" agenda
+    resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=200)
+    # but there's no links to actions
+    assert not '>New Event<' in resp.body
+    assert not '>Options<' in resp.body
+    app.get('/manage/agendas/%s/add-event' % agenda.id, status=403)
+    app.get('/manage/agendas/%s/edit' % agenda.id, status=403)
+
+    # check it doesn't give access for "meetings" agenda
+    agenda.kind = 'meetings'
+    agenda.save()
+    resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=403)
 
 def test_add_agenda(app, admin_user):
     app = login(app)
@@ -176,9 +190,16 @@ def test_options_agenda_as_manager(app, manager_user):
     resp = app.get('/manage/', status=200)
     resp = resp.click('Foo bar')
     assert not 'Settings' in resp.body
+    resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=200)  # ok for "events" agendas
+    resp = app.get('/manage/agendas/%s/edit' % agenda.id, status=403)
+    agenda.kind = 'meetings'
+    agenda.save()
     resp = app.get('/manage/agendas/%s/settings' % agenda.id, status=403)
     resp = app.get('/manage/agendas/%s/edit' % agenda.id, status=403)
 
+    agenda.kind = 'events'
+    agenda.save()
+
     agenda.edit_role = manager_user.groups.all()[0]
     agenda.save()
 
@@ -282,7 +303,6 @@ def test_add_event_as_manager(app, manager_user):
     agenda.save()
     app = login(app, username='manager', password='manager')
     resp = app.get('/manage/agendas/%s/' % agenda.id, status=302)
-    app.get('/manage/agendas/%s/settings' % agenda.id, status=403)
     app.get('/manage/agendas/%s/add-event' % agenda.id, status=403)
 
     agenda.edit_role = manager_user.groups.all()[0]