From 022c19c0200fe2853a9229e685600eed3d83c000 Mon Sep 17 00:00:00 2001 From: Sli Date: Mon, 23 Dec 2024 02:17:28 +0100 Subject: [PATCH] Fix counter permissions issues --- counter/models.py | 2 +- counter/tests/test_counter.py | 85 +++++++++++++++++++++++++++++++++-- counter/views/click.py | 8 ++-- 3 files changed, 87 insertions(+), 8 deletions(-) diff --git a/counter/models.py b/counter/models.py index 489b0794..6668e520 100644 --- a/counter/models.py +++ b/counter/models.py @@ -527,7 +527,7 @@ class Counter(models.Model): if user.is_anonymous: return False mem = self.club.get_membership_for(user) - if mem and mem.role >= 7: + if mem and mem.role >= settings.SITH_CLUB_ROLES_ID["Treasurer"]: return True return user.is_in_group(pk=settings.SITH_GROUP_COUNTER_ADMIN_ID) diff --git a/counter/tests/test_counter.py b/counter/tests/test_counter.py index 6ed3e08b..c7b91c4d 100644 --- a/counter/tests/test_counter.py +++ b/counter/tests/test_counter.py @@ -30,7 +30,7 @@ from freezegun import freeze_time from model_bakery import baker from club.models import Club, Membership -from core.baker_recipes import board_user, old_subscriber_user, subscriber_user +from core.baker_recipes import board_user, subscriber_user from core.models import Group, User from counter.baker_recipes import product_recipe from counter.models import ( @@ -67,7 +67,11 @@ class FullClickSetup: sub.subscription_end = localdate() - timedelta(days=89) sub.save() - cls.customer_old_can_not_buy = old_subscriber_user.make() + cls.customer_old_can_not_buy = subscriber_user.make() + sub = cls.customer_old_can_not_buy.subscriptions.first() + sub.subscription_end = localdate() - timedelta(days=90) + sub.save() + cls.customer_can_not_buy = baker.make(User) cls.club_counter = baker.make(Counter, type="OFFICE") @@ -448,7 +452,7 @@ class TestCounterClick(FullClickSetup, TestCase): assert resp.status_code == 302 assert resp.url == resolve_url(self.counter) - assert self.updated_amount(self.banned_counter_customer) == Decimal("10") + assert self.updated_amount(user) == Decimal("10") def test_click_user_without_customer(self): self.login_in_bar() @@ -462,6 +466,81 @@ class TestCounterClick(FullClickSetup, TestCase): == 404 ) + def test_click_allowed_old_subscriber(self): + self.login_in_bar() + self.refill_user(self.customer_old_can_buy, 10) + assert ( + self.submit_basket( + self.customer_old_can_buy, + [ + BasketItem(self.snack.id, 2), + ], + ).status_code + == 302 + ) + + assert self.updated_amount(self.customer_old_can_buy) == Decimal("7") + + def test_click_wrong_counter(self): + self.login_in_bar() + self.refill_user(self.customer, 10) + assert ( + self.submit_basket( + self.customer, + [ + BasketItem(self.snack.id, 2), + ], + counter=self.other_counter, + ).status_code + == 302 # Redirect to counter main + ) + + # We want to test sending requests from another counter while + # we are currently registered to another counter + # so we connect to a counter and + # we create a new client, in order to check + # that using a client not logged to a counter + # where another client is logged still isn't authorized. + client = Client() + assert ( + self.submit_basket( + self.customer, + [ + BasketItem(self.snack.id, 2), + ], + counter=self.counter, + client=client, + ).status_code + == 302 # Redirect to counter main + ) + + assert self.updated_amount(self.customer) == Decimal("10") + + def test_click_not_connected(self): + self.refill_user(self.customer, 10) + assert ( + self.submit_basket( + self.customer, + [ + BasketItem(self.snack.id, 2), + ], + ).status_code + == 302 # Redirect to counter main + ) + + assert ( + self.submit_basket( + self.customer, + [ + BasketItem(self.snack.id, 2), + ], + counter=self.club_counter, + ).status_code + == 403 + ) + + assert self.updated_amount(self.customer) == Decimal("10") + def test_annotate_has_barman_queryset(self): """Test if the custom queryset method `annotate_has_barman` works as intended.""" counters = Counter.objects.annotate_has_barman(self.barmen) diff --git a/counter/views/click.py b/counter/views/click.py index e74a48c5..3a320337 100644 --- a/counter/views/click.py +++ b/counter/views/click.py @@ -149,7 +149,7 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView): current_tab = "counter" def get_queryset(self): - return super().get_queryset().exclude(type="EBOUTIC") + return super().get_queryset().exclude(type="EBOUTIC").annotate_is_open() def get_form_kwargs(self): kwargs = super().get_form_kwargs() @@ -167,13 +167,13 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView): if not self.customer.can_buy or self.customer.user.is_banned_counter: return redirect(obj) # Redirect to counter - if obj.type != "BAR" and not request.user.is_authenticated: + if obj.type == "OFFICE" and not obj.club.has_rights_in_club(request.user): raise PermissionDenied if obj.type == "BAR" and ( - "counter_token" not in request.session + not obj.is_open + or "counter_token" not in request.session or request.session["counter_token"] != obj.token - or len(obj.barmen_list) == 0 ): return redirect(obj) # Redirect to counter