Only allow staff members to manage users.

This commit is contained in:
Christopher Charbonneau Wells 2017-12-13 13:49:10 -05:00
parent a4b07c054c
commit 183a30b0a3
5 changed files with 31 additions and 8 deletions

14
babybuddy/mixins.py Normal file
View File

@ -0,0 +1,14 @@
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
from django.contrib.auth.mixins import AccessMixin
class StaffOnlyMixin(AccessMixin):
"""
Verify the current user is staff.
"""
def dispatch(self, request, *args, **kwargs):
if not request.user.is_staff:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)

View File

@ -184,10 +184,8 @@
<a href="{% url 'api:api-root' %}" <a href="{% url 'api:api-root' %}"
class="dropdown-item" class="dropdown-item"
target="_blank">API Browser</a> target="_blank">API Browser</a>
{% if perms.admin.add_user %}
<a href="{% url 'babybuddy:user-list' %}" class="dropdown-item">Users</a>
{% endif %}
{% if request.user.is_staff %} {% if request.user.is_staff %}
<a href="{% url 'babybuddy:user-list' %}" class="dropdown-item">Users</a>
<a href="{% url 'admin:index' %}" <a href="{% url 'admin:index' %}"
class="dropdown-item" class="dropdown-item"
target="_blank">Backend Admin</a> target="_blank">Backend Admin</a>

View File

@ -56,6 +56,8 @@ class FormsTestCase(TestCase):
self.assertEqual(page.status_code, 200) self.assertEqual(page.status_code, 200)
def test_user_forms(self): def test_user_forms(self):
self.user.is_staff = True
self.user.save()
self.c.login(**self.credentials) self.c.login(**self.credentials)
params = { params = {

View File

@ -62,6 +62,12 @@ class ViewsTestCase(TestCase):
self.assertEqual(page.status_code, 200) self.assertEqual(page.status_code, 200)
def test_user_views(self): def test_user_views(self):
# Staff setting is required to access user management.
page = self.c.get('/users/')
self.assertEqual(page.status_code, 302)
self.user.is_staff = True
self.user.save()
page = self.c.get('/users/') page = self.c.get('/users/')
self.assertEqual(page.status_code, 200) self.assertEqual(page.status_code, 200)
page = self.c.get('/users/add/') page = self.c.get('/users/add/')

View File

@ -17,6 +17,7 @@ from django.views.generic.edit import CreateView, UpdateView, DeleteView
from django_filters.views import FilterView from django_filters.views import FilterView
from babybuddy import forms from babybuddy import forms
from babybuddy.mixins import StaffOnlyMixin
from core import models from core import models
@ -40,16 +41,16 @@ class RootRouter(LoginRequiredMixin, RedirectView):
return super(RootRouter, self).get_redirect_url(self, *args, **kwargs) return super(RootRouter, self).get_redirect_url(self, *args, **kwargs)
class UserList(PermissionRequiredMixin, FilterView): class UserList(StaffOnlyMixin, FilterView):
model = User model = User
template_name = 'babybuddy/user_list.html' template_name = 'babybuddy/user_list.html'
ordering = 'username' ordering = 'username'
permission_required = ('admin.add_user',)
paginate_by = 10 paginate_by = 10
filter_fields = ('username', 'first_name', 'last_name', 'email') filter_fields = ('username', 'first_name', 'last_name', 'email')
class UserAdd(PermissionRequiredMixin, SuccessMessageMixin, CreateView): class UserAdd(StaffOnlyMixin, PermissionRequiredMixin, SuccessMessageMixin,
CreateView):
model = User model = User
template_name = 'babybuddy/user_form.html' template_name = 'babybuddy/user_form.html'
permission_required = ('admin.add_user',) permission_required = ('admin.add_user',)
@ -58,7 +59,8 @@ class UserAdd(PermissionRequiredMixin, SuccessMessageMixin, CreateView):
success_message = 'User %(username)s added!' success_message = 'User %(username)s added!'
class UserUpdate(PermissionRequiredMixin, SuccessMessageMixin, UpdateView): class UserUpdate(StaffOnlyMixin, PermissionRequiredMixin, SuccessMessageMixin,
UpdateView):
model = User model = User
template_name = 'babybuddy/user_form.html' template_name = 'babybuddy/user_form.html'
permission_required = ('admin.change_user',) permission_required = ('admin.change_user',)
@ -67,7 +69,8 @@ class UserUpdate(PermissionRequiredMixin, SuccessMessageMixin, UpdateView):
success_message = 'User %(username)s updated.' success_message = 'User %(username)s updated.'
class UserDelete(PermissionRequiredMixin, DeleteView): class UserDelete(StaffOnlyMixin, PermissionRequiredMixin,
DeleteView):
model = User model = User
template_name = 'babybuddy/user_confirm_delete.html' template_name = 'babybuddy/user_confirm_delete.html'
permission_required = ('admin.delete_user',) permission_required = ('admin.delete_user',)