From 14ed43aaa5971518caa81e1e7d3ecfd2f396ce76 Mon Sep 17 00:00:00 2001
From: imperosol <thgirod@hotmail.com>
Date: Thu, 23 Jan 2025 13:32:13 +0100
Subject: [PATCH] fix office counter click access

---
 counter/tests/test_counter.py | 12 +++++++++++-
 counter/views/click.py        | 19 +++++++++++++------
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/counter/tests/test_counter.py b/counter/tests/test_counter.py
index fb64759c..27ce62bc 100644
--- a/counter/tests/test_counter.py
+++ b/counter/tests/test_counter.py
@@ -937,13 +937,23 @@ class TestClubCounterClickAccess(TestCase):
         assert res.status_code == 403
 
     def test_board_member(self):
+        """By default, board members should be able to click on office counters"""
         baker.make(Membership, club=self.counter.club, user=self.user, role=3)
         self.client.force_login(self.user)
         res = self.client.get(self.click_url)
         assert res.status_code == 200
 
     def test_barman(self):
+        """Sellers should be able to click on office counters"""
         self.counter.sellers.add(self.user)
         self.client.force_login(self.user)
         res = self.client.get(self.click_url)
-        assert res.status_code == 403
+        assert res.status_code == 200
+
+    def test_both_barman_and_board_member(self):
+        """If the user is barman and board member, he should be authorized as well."""
+        self.counter.sellers.add(self.user)
+        baker.make(Membership, club=self.counter.club, user=self.user, role=3)
+        self.client.force_login(self.user)
+        res = self.client.get(self.click_url)
+        assert res.status_code == 200
diff --git a/counter/views/click.py b/counter/views/click.py
index 4a1e1c88..eb6f8e28 100644
--- a/counter/views/click.py
+++ b/counter/views/click.py
@@ -142,15 +142,16 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
     """
 
     model = Counter
-    queryset = Counter.objects.annotate_is_open()
+    queryset = (
+        Counter.objects.exclude(type="EBOUTIC")
+        .annotate_is_open()
+        .select_related("club")
+    )
     form_class = BasketForm
     template_name = "counter/counter_click.jinja"
     pk_url_kwarg = "counter_id"
     current_tab = "counter"
 
-    def get_queryset(self):
-        return super().get_queryset().exclude(type="EBOUTIC").annotate_is_open()
-
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
         kwargs["form_kwargs"] = {
@@ -168,9 +169,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
             return redirect(obj)  # Redirect to counter
 
         if obj.type == "OFFICE" and (
-            obj.sellers.filter(pk=request.user.pk).exists()
-            or not obj.club.has_rights_in_club(request.user)
+            request.user.is_anonymous
+            or not (
+                obj.sellers.contains(request.user)
+                or obj.club.has_rights_in_club(request.user)
+            )
         ):
+            # To be able to click on an office counter,
+            # a user must either be in the board of the club that own the counter
+            # or a seller of this counter.
             raise PermissionDenied
 
         if obj.type == "BAR" and (