Redirect from stats views to login page if users are not logged in
authorMitja Nikolaus <mitja@fairphone.com>
Mon, 10 Dec 2018 14:40:22 +0000 (15:40 +0100)
committerMitja Nikolaus <mitja@fairphone.com>
Fri, 4 Jan 2019 10:28:54 +0000 (10:28 +0000)
Issue: HIC-291
Change-Id: Ib22fdeda5dd345c7875b369d0094ebecd9ee7567

crashreport_stats/permissions.py
crashreport_stats/tests/test_views.py
crashreport_stats/tests/utils.py

index c457f42..ab00fe8 100644 (file)
@@ -8,12 +8,16 @@ from hiccup.allauth_adapters import FP_STAFF_GROUP_NAME
 def check_user_is_hiccup_staff(user):
     """Check if the user is part of the Hiccup staff.
 
-    Returns: True if the user is part of the Hiccup staff group.
+    Returns:
+        True if the user is part of the Hiccup staff group, False if the user
+        is not logged in.
 
     Raises:
         PermissionDenied: If the user is not part of the Hiccup staff group.
 
     """
+    if not user.is_authenticated:
+        return False
     if not user_is_hiccup_staff(user):
         raise PermissionDenied(
             "User %s not part of the %s group" % (user, FP_STAFF_GROUP_NAME)
index ed41cbd..2423ddb 100644 (file)
@@ -43,9 +43,9 @@ class ViewsTestCase(HiccupStatsAPITestCase):
 
     def test_home_view_no_auth(self):
         """Test that one can not access the home view without auth."""
-        # Assert that the permission is denied
+        # Assert that the response is redirect to login page
         self._assert_get_without_authentication_fails(
-            self.home_url, expected_status=status.HTTP_403_FORBIDDEN
+            self.home_url, expected_status=status.HTTP_302_FOUND
         )
 
     def test_device_view_as_fp_staff(self):
@@ -67,12 +67,12 @@ class ViewsTestCase(HiccupStatsAPITestCase):
 
     def test_device_view_no_auth(self):
         """Test that non-authenticated users can not access the device view."""
-        # Assert that the permission is denied.
+        # Assert that the response is a redirect to the login page.
         self._assert_get_without_authentication_fails(
             self._url_with_params(
                 self.device_url, {"uuid": self.device_owner_device.uuid}
             ),
-            expected_status=status.HTTP_403_FORBIDDEN,
+            expected_status=status.HTTP_302_FOUND,
         )
 
     def test_versions_view_as_fp_staff(self):
@@ -88,9 +88,9 @@ class ViewsTestCase(HiccupStatsAPITestCase):
 
     def test_versions_view_no_auth(self):
         """Test one can not access the versions view without auth."""
-        # Assert that the permission is denied
+        # Assert that the response is redirect to login page
         self._assert_get_without_authentication_fails(
-            self.versions_url, expected_status=status.HTTP_403_FORBIDDEN
+            self.versions_url, expected_status=status.HTTP_302_FOUND
         )
 
     def test_versions_all_view_as_fp_staff(self):
@@ -106,9 +106,9 @@ class ViewsTestCase(HiccupStatsAPITestCase):
 
     def test_versions_all_view_no_auth(self):
         """Test that one can not access the versions all view without auth."""
-        # Assert that the permission is denied
+        # Assert that the response is redirect to login page
         self._assert_get_without_authentication_fails(
-            self.versions_all_url, expected_status=status.HTTP_403_FORBIDDEN
+            self.versions_all_url, expected_status=status.HTTP_302_FOUND
         )
 
     def test_home_view_post_as_fp_staff(self):
@@ -131,8 +131,8 @@ class ViewsTestCase(HiccupStatsAPITestCase):
             self.home_url, data={"uuid": str(self.device_owner_device.uuid)}
         )
 
-        # Assert that the permission is denied
-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        # Assert that the response is redirect to the login page
+        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
 
     def test_home_view_post_as_device_owner(self):
         """Test HTTP POST method to home view as device owner."""
index 78ecf32..ae92921 100644 (file)
@@ -175,6 +175,7 @@ class HiccupStatsAPITestCase(APITestCase):
         cls.device_owner_client.credentials(
             HTTP_AUTHORIZATION="Token " + cls.device_owner_user.auth_token.key
         )
+        cls.device_owner_client.force_login(cls.device_owner_user)
 
     def _assert_get_as_fp_staff_succeeds(
         self, url, expected_status=status.HTTP_200_OK