Only allow staff members to manage users.

babybuddy/mixins.py

@@ -0,0 +1,14 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.contrib.auth.mixins import AccessMixin
+
+
+class StaffOnlyMixin(AccessMixin):
+    """
+    Verify the current user is staff.
+    """
+    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_staff:
+            return self.handle_no_permission()
+        return super().dispatch(request, *args, **kwargs)

babybuddy/templates/babybuddy/nav-dropdown.html

@@ -184,10 +184,8 @@
                             <a href="{% url 'api:api-root' %}"
                                class="dropdown-item"
                                target="_blank">API Browser</a>
-                            {% if perms.admin.add_user %}
-                                <a href="{% url 'babybuddy:user-list' %}" class="dropdown-item">Users</a>
-                            {% endif %}
                             {% if request.user.is_staff %}
+                                <a href="{% url 'babybuddy:user-list' %}" class="dropdown-item">Users</a>
                                 <a href="{% url 'admin:index' %}"
                                    class="dropdown-item"
                                    target="_blank">Backend Admin</a>

babybuddy/tests/tests_forms.py

@@ -56,6 +56,8 @@ class FormsTestCase(TestCase):
         self.assertEqual(page.status_code, 200)
 
     def test_user_forms(self):
+        self.user.is_staff = True
+        self.user.save()
         self.c.login(**self.credentials)
 
         params = {

babybuddy/tests/tests_views.py

@@ -62,6 +62,12 @@ class ViewsTestCase(TestCase):
         self.assertEqual(page.status_code, 200)
 
     def test_user_views(self):
+        # Staff setting is required to access user management.
+        page = self.c.get('/users/')
+        self.assertEqual(page.status_code, 302)
+        self.user.is_staff = True
+        self.user.save()
+
         page = self.c.get('/users/')
         self.assertEqual(page.status_code, 200)
         page = self.c.get('/users/add/')

babybuddy/views.py

@@ -17,6 +17,7 @@ from django.views.generic.edit import CreateView, UpdateView, DeleteView
 from django_filters.views import FilterView
 
 from babybuddy import forms
+from babybuddy.mixins import StaffOnlyMixin
 from core import models
 
 
@@ -40,16 +41,16 @@ class RootRouter(LoginRequiredMixin, RedirectView):
         return super(RootRouter, self).get_redirect_url(self, *args, **kwargs)
 
 
-class UserList(PermissionRequiredMixin, FilterView):
+class UserList(StaffOnlyMixin, FilterView):
     model = User
     template_name = 'babybuddy/user_list.html'
     ordering = 'username'
-    permission_required = ('admin.add_user',)
     paginate_by = 10
     filter_fields = ('username', 'first_name', 'last_name', 'email')
 
 
-class UserAdd(PermissionRequiredMixin, SuccessMessageMixin, CreateView):
+class UserAdd(StaffOnlyMixin, PermissionRequiredMixin, SuccessMessageMixin,
+              CreateView):
     model = User
     template_name = 'babybuddy/user_form.html'
     permission_required = ('admin.add_user',)
@@ -58,7 +59,8 @@ class UserAdd(PermissionRequiredMixin, SuccessMessageMixin, CreateView):
     success_message = 'User %(username)s added!'
 
 
-class UserUpdate(PermissionRequiredMixin, SuccessMessageMixin, UpdateView):
+class UserUpdate(StaffOnlyMixin, PermissionRequiredMixin, SuccessMessageMixin,
+                 UpdateView):
     model = User
     template_name = 'babybuddy/user_form.html'
     permission_required = ('admin.change_user',)
@@ -67,7 +69,8 @@ class UserUpdate(PermissionRequiredMixin, SuccessMessageMixin, UpdateView):
     success_message = 'User %(username)s updated.'
 
 
-class UserDelete(PermissionRequiredMixin, DeleteView):
+class UserDelete(StaffOnlyMixin, PermissionRequiredMixin,
+                 DeleteView):
     model = User
     template_name = 'babybuddy/user_confirm_delete.html'
     permission_required = ('admin.delete_user',)