Merge pull request #860 from ae-utbm/fix-sas-owner

Fix sas owner
This commit is contained in:
thomas girod 2024-10-05 21:44:21 +02:00 committed by GitHub
commit cacdf600f4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 53 additions and 4 deletions

View File

@ -991,8 +991,8 @@ class SithFile(models.Model):
return user.is_board_member return user.is_board_member
if user.is_com_admin: if user.is_com_admin:
return True return True
if self.is_in_sas: if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
return user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID) return True
return user.id == self.owner_id return user.id == self.owner_id
def can_be_viewed_by(self, user): def can_be_viewed_by(self, user):

View File

@ -13,8 +13,57 @@ from model_bakery.recipe import Recipe, foreign_key
from PIL import Image from PIL import Image
from pytest_django.asserts import assertNumQueries from pytest_django.asserts import assertNumQueries
from core.baker_recipes import board_user, subscriber_user from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
from core.models import Group, SithFile, User from core.models import Group, RealGroup, SithFile, User
from sas.models import Picture
from sith import settings
@pytest.mark.django_db
class TestImageAccess:
@pytest.mark.parametrize(
"user_factory",
[
lambda: baker.make(User, is_superuser=True),
lambda: baker.make(
User,
groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)],
),
lambda: baker.make(
User,
groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)],
),
],
)
def test_sas_image_access(self, user_factory: Callable[[], User]):
"""Test that only authorized users can access the sas image."""
user = user_factory()
picture: SithFile = baker.make(
Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
)
assert picture.is_owned_by(user)
def test_sas_image_access_owner(self):
"""Test that the owner of the image can access it."""
user = baker.make(User)
picture: Picture = baker.make(Picture, owner=user)
assert picture.is_owned_by(user)
@pytest.mark.parametrize(
"user_factory",
[
lambda: baker.make(User),
subscriber_user.make,
old_subscriber_user.make,
board_user.make,
],
)
def test_sas_image_access_forbidden(self, user_factory: Callable[[], User]):
cache.clear()
user = user_factory()
owner = baker.make(User)
picture: Picture = baker.make(Picture, owner=owner)
assert not picture.is_owned_by(user)
@pytest.mark.django_db @pytest.mark.django_db