Improved permission testing

2026-05-03 14:54:04 +00:00 · 2016-06-10 15:43:35 +02:00
parent 66bcbc785b
commit f4cefa9ad4
2 changed files with 26 additions and 0 deletions
--- a/src/pretix/control/views/orders.py
+++ b/src/pretix/control/views/orders.py
@@ -223,6 +223,9 @@ class OrderInvoiceCreate(OrderView):
            messages.success(self.request, _('The invoice has been generated.'))
        return redirect(self.get_order_url())

+    def get(self, *args, **kwargs):
+        return HttpResponseNotAllowed(['POST'])
+

 class OrderResendLink(OrderView):
    permission = 'can_change_orders'
@@ -245,6 +248,9 @@ class OrderResendLink(OrderView):
        self.order.log_action('pretix.event.order.resend', user=self.request.user)
        return redirect(self.get_order_url())

+    def get(self, *args, **kwargs):
+        return HttpResponseNotAllowed(['POST'])
+

 class InvoiceDownload(EventPermissionRequiredMixin, View):
    permission = 'can_view_orders'
--- a/src/tests/control/test_permissions.py
+++ b/src/tests/control/test_permissions.py
@@ -31,10 +31,15 @@ event_urls = [
    "settings/plugins",
    "settings/payment",
    "settings/tickets",
+    "settings/permissions",
+    "settings/email",
    "items/",
    "items/add",
    "items/1/",
    "items/1/variations",
+    "items/1/up",
+    "items/1/down",
+    "items/1/delete",
    "categories/",
    "categories/add",
    "categories/2/",
@@ -49,15 +54,19 @@ event_urls = [
    "vouchers/2/delete",
    "vouchers/2/",
    "vouchers/add",
+    "vouchers/bulk_add",
    "quotas/",
    "quotas/2/delete",
    "quotas/2/",
    "quotas/add",
    "orders/ABC/transition",
+    "orders/ABC/resend",
+    "orders/ABC/invoice",
    "orders/ABC/extend",
    "orders/ABC/download/pdf",
    "orders/ABC/",
    "orders/",
+    "attendees/",
    "invoice/1",
 ]

@@ -98,15 +107,22 @@ event_permission_urls = [
    ("can_change_settings", "settings/plugins", 200),
    ("can_change_settings", "settings/payment", 200),
    ("can_change_settings", "settings/tickets", 200),
+    ("can_change_settings", "settings/email", 200),
+    ("can_change_permissions", "settings/permissions", 200),
    # Lists are currently not access-controlled
    # ("can_change_items", "items/", 200),
    ("can_change_items", "items/add", 200),
+    ("can_change_items", "items/1/up", 404),
+    ("can_change_items", "items/1/down", 404),
+    ("can_change_items", "items/1/delete", 404),
    # ("can_change_items", "categories/", 200),
    # We don't have to create categories and similar objects
    # for testing this, it is enough to test that a 404 error
    # is returned instead of a 403 one.
    ("can_change_items", "categories/2/", 404),
    ("can_change_items", "categories/2/delete", 404),
+    ("can_change_items", "categories/2/up", 404),
+    ("can_change_items", "categories/2/down", 404),
    ("can_change_items", "categories/add", 200),
    # ("can_change_items", "questions/", 200),
    ("can_change_items", "questions/2/", 404),
@@ -118,10 +134,14 @@ event_permission_urls = [
    ("can_change_items", "quotas/add", 200),
    ("can_view_orders", "orders/overview/", 200),
    ("can_view_orders", "orders/", 200),
+    ("can_view_orders", "attendees/", 200),
    ("can_view_orders", "orders/FOO/", 200),
    ("can_change_orders", "orders/FOO/extend", 200),
    ("can_change_orders", "orders/FOO/transition", 405),
+    ("can_change_orders", "orders/FOO/resend", 405),
+    ("can_change_orders", "orders/FOO/invoice", 405),
    ("can_change_vouchers", "vouchers/add", 200),
+    ("can_change_vouchers", "vouchers/bulk_add", 200),
    ("can_change_vouchers", "vouchers/", 200),
    ("can_change_vouchers", "vouchers/1234/", 404),
    ("can_change_vouchers", "vouchers/1234/delete", 404),