limit backup_view access

network_inventory/inventory/tests/test_views/test_customer_backup_table_view.py

@@ -5,6 +5,8 @@ from django.test import Client
 
 from helper import in_content, not_in_content
 
+from inventory.models import Customer
+
 pytestmark=pytest.mark.django_db
 
 def test_customer_backup_table_not_logged_in():
@@ -29,4 +31,16 @@ def test_customer_backup_table_no_backup(create_admin_user):
     client = Client()
     client.login(username="novartis-admin", password="password")
     response = client.get('/customer/' + str(customer.id) + '/backups/')
-    assert response.status_code == 200 and not_in_content(response, "Novartis PC")
+    assert response.status_code == 200
+
+
+def test_customer_backup_table_no_permission(create_admin_user):
+    fixture = create_admin_user()
+    customer = Customer.objects.create(name='Nestle')
+    client = Client()
+    client.login(username="novartis-admin", password="password")
+    computer = mixer.blend('inventory.Computer', customer=customer)
+    backup = mixer.blend('inventory.Backup', computer=computer)
+    response = client.get('/customer/' + str(customer.id) + '/backups/')
+    assert response.status_code == 403
+

network_inventory/inventory/views.py

@@ -11,7 +11,7 @@ from django_tables2.views import SingleTableMixin
 
 from django_filters.views import FilterView
 
-from .decorators import computer_view_permission
+from .decorators import computer_view_permission, customer_view_permission
 from .models import (Device, Computer, ComputerRamRelation,
                      ComputerDiskRelation, ComputerCpuRelation,
                      ComputerSoftwareRelation, Customer, Net, RaidInComputer,
@@ -97,6 +97,7 @@ def net_detail_view(request, pk):
 
 
 @login_required
+@customer_view_permission
 def backups_table_view(request, pk):
     computers = Computer.objects.filter(customer=pk)
     table = BackupsTable(Backup.objects.filter(computer__in=computers))