CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-04 15:04:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

API Auth: Respect staff sessions

Browse Source
This commit is contained in:
Raphael Michel
2019-04-26 16:24:13 +02:00
parent 2bc0dd6076
commit cc4602c308
2 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/tests/api/test_permissions.py
View File

@@ -2,6 +2,7 @@ import time
import pytest
from django.test import override_settings
from django.utils.timezone import now
from pretix.base.models import Organizer
@@ -442,3 +443,17 @@ def test_token_org_subresources_permission_not_allowed(token_client, team, organ
assert resp.status_code == 403
else:
assert resp.status_code in (404, 403)
@pytest.mark.django_db
@pytest.mark.parametrize("url", event_urls)
def test_event_staff_requires_staff_session(user_client, organizer, team, event, url, user):
team.delete()
user.is_staff = True
user.save()
resp = user_client.get('/api/v1/organizers/{}/events/{}/{}'.format(organizer.slug, event.slug, url[1]))
assert resp.status_code == 403
user.staffsession_set.create(date_start=now(), session_key=user_client.session.session_key)
resp = user_client.get('/api/v1/organizers/{}/events/{}/{}'.format(organizer.slug, event.slug, url[1]))
assert resp.status_code == 200