From 7a6fbe4d7b808baaae4418a2f859ed416b01b52b Mon Sep 17 00:00:00 2001 From: Andreas Zweili Date: Sat, 30 Nov 2019 14:15:20 +0100 Subject: [PATCH] limit backup_view access --- .../test_customer_backup_table_view.py | 16 +++++++++++++++- network_inventory/inventory/views.py | 3 ++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/network_inventory/inventory/tests/test_views/test_customer_backup_table_view.py b/network_inventory/inventory/tests/test_views/test_customer_backup_table_view.py index 1451b54..c02a170 100644 --- a/network_inventory/inventory/tests/test_views/test_customer_backup_table_view.py +++ b/network_inventory/inventory/tests/test_views/test_customer_backup_table_view.py @@ -5,6 +5,8 @@ from django.test import Client from helper import in_content, not_in_content +from inventory.models import Customer + pytestmark=pytest.mark.django_db def test_customer_backup_table_not_logged_in(): @@ -29,4 +31,16 @@ def test_customer_backup_table_no_backup(create_admin_user): client = Client() client.login(username="novartis-admin", password="password") response = client.get('/customer/' + str(customer.id) + '/backups/') - assert response.status_code == 200 and not_in_content(response, "Novartis PC") + assert response.status_code == 200 + + +def test_customer_backup_table_no_permission(create_admin_user): + fixture = create_admin_user() + customer = Customer.objects.create(name='Nestle') + client = Client() + client.login(username="novartis-admin", password="password") + computer = mixer.blend('inventory.Computer', customer=customer) + backup = mixer.blend('inventory.Backup', computer=computer) + response = client.get('/customer/' + str(customer.id) + '/backups/') + assert response.status_code == 403 + diff --git a/network_inventory/inventory/views.py b/network_inventory/inventory/views.py index 9c07f7f..c5a4662 100644 --- a/network_inventory/inventory/views.py +++ b/network_inventory/inventory/views.py @@ -11,7 +11,7 @@ from django_tables2.views import SingleTableMixin from django_filters.views import FilterView -from .decorators import computer_view_permission +from .decorators import computer_view_permission, customer_view_permission from .models import (Device, Computer, ComputerRamRelation, ComputerDiskRelation, ComputerCpuRelation, ComputerSoftwareRelation, Customer, Net, RaidInComputer, @@ -97,6 +97,7 @@ def net_detail_view(request, pk): @login_required +@customer_view_permission def backups_table_view(request, pk): computers = Computer.objects.filter(customer=pk) table = BackupsTable(Backup.objects.filter(computer__in=computers))