From f4cefa9ad4a51a12e070d7ea5ebf0764fe28717a Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Fri, 10 Jun 2016 15:43:35 +0200 Subject: [PATCH] Improved permission testing --- src/pretix/control/views/orders.py | 6 ++++++ src/tests/control/test_permissions.py | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/src/pretix/control/views/orders.py b/src/pretix/control/views/orders.py index 98bed32b9..d68c2efb1 100644 --- a/src/pretix/control/views/orders.py +++ b/src/pretix/control/views/orders.py @@ -223,6 +223,9 @@ class OrderInvoiceCreate(OrderView): messages.success(self.request, _('The invoice has been generated.')) return redirect(self.get_order_url()) + def get(self, *args, **kwargs): + return HttpResponseNotAllowed(['POST']) + class OrderResendLink(OrderView): permission = 'can_change_orders' @@ -245,6 +248,9 @@ class OrderResendLink(OrderView): self.order.log_action('pretix.event.order.resend', user=self.request.user) return redirect(self.get_order_url()) + def get(self, *args, **kwargs): + return HttpResponseNotAllowed(['POST']) + class InvoiceDownload(EventPermissionRequiredMixin, View): permission = 'can_view_orders' diff --git a/src/tests/control/test_permissions.py b/src/tests/control/test_permissions.py index 9349f3ab6..639e8f4a9 100644 --- a/src/tests/control/test_permissions.py +++ b/src/tests/control/test_permissions.py @@ -31,10 +31,15 @@ event_urls = [ "settings/plugins", "settings/payment", "settings/tickets", + "settings/permissions", + "settings/email", "items/", "items/add", "items/1/", "items/1/variations", + "items/1/up", + "items/1/down", + "items/1/delete", "categories/", "categories/add", "categories/2/", @@ -49,15 +54,19 @@ event_urls = [ "vouchers/2/delete", "vouchers/2/", "vouchers/add", + "vouchers/bulk_add", "quotas/", "quotas/2/delete", "quotas/2/", "quotas/add", "orders/ABC/transition", + "orders/ABC/resend", + "orders/ABC/invoice", "orders/ABC/extend", "orders/ABC/download/pdf", "orders/ABC/", "orders/", + "attendees/", "invoice/1", ] @@ -98,15 +107,22 @@ event_permission_urls = [ ("can_change_settings", "settings/plugins", 200), ("can_change_settings", "settings/payment", 200), ("can_change_settings", "settings/tickets", 200), + ("can_change_settings", "settings/email", 200), + ("can_change_permissions", "settings/permissions", 200), # Lists are currently not access-controlled # ("can_change_items", "items/", 200), ("can_change_items", "items/add", 200), + ("can_change_items", "items/1/up", 404), + ("can_change_items", "items/1/down", 404), + ("can_change_items", "items/1/delete", 404), # ("can_change_items", "categories/", 200), # We don't have to create categories and similar objects # for testing this, it is enough to test that a 404 error # is returned instead of a 403 one. ("can_change_items", "categories/2/", 404), ("can_change_items", "categories/2/delete", 404), + ("can_change_items", "categories/2/up", 404), + ("can_change_items", "categories/2/down", 404), ("can_change_items", "categories/add", 200), # ("can_change_items", "questions/", 200), ("can_change_items", "questions/2/", 404), @@ -118,10 +134,14 @@ event_permission_urls = [ ("can_change_items", "quotas/add", 200), ("can_view_orders", "orders/overview/", 200), ("can_view_orders", "orders/", 200), + ("can_view_orders", "attendees/", 200), ("can_view_orders", "orders/FOO/", 200), ("can_change_orders", "orders/FOO/extend", 200), ("can_change_orders", "orders/FOO/transition", 405), + ("can_change_orders", "orders/FOO/resend", 405), + ("can_change_orders", "orders/FOO/invoice", 405), ("can_change_vouchers", "vouchers/add", 200), + ("can_change_vouchers", "vouchers/bulk_add", 200), ("can_change_vouchers", "vouchers/", 200), ("can_change_vouchers", "vouchers/1234/", 404), ("can_change_vouchers", "vouchers/1234/delete", 404),