fix(python): redirect when the request user can't edit target user

Signed-off-by: Kevin Morris <kevr@0cost.org>

aurweb/routers/accounts.py

@@ -329,13 +329,23 @@ async def account_register_post(request: Request,
     return render_template(request, "register.html", context)
 
 
-def cannot_edit(request, user):
+def cannot_edit(request: Request, user: models.User) \
-    """ Return a 401 HTMLResponse if the request user doesn't
+        -> typing.Optional[RedirectResponse]:
-    have authorization, otherwise None. """
+    """
-    has_dev_cred = request.user.has_credential(creds.ACCOUNT_EDIT_DEV,
+    Decide if `request.user` cannot edit `user`.
-                                               approved=[user])
+
-    if not has_dev_cred:
+    If the request user can edit the target user, None is returned.
-        return HTMLResponse(status_code=HTTPStatus.UNAUTHORIZED)
+    Otherwise, a redirect is returned to /account/{user.Username}.
+
+    :param request: FastAPI request
+    :param user: Target user to be edited
+    :return: RedirectResponse if approval != granted else None
+    """
+    approved = request.user.has_credential(creds.ACCOUNT_EDIT, approved=[user])
+    if not approved and (to := "/"):
+        if user:
+            to = f"/account/{user.Username}"
+        return RedirectResponse(to, status_code=HTTPStatus.SEE_OTHER)
     return None
 
 

test/test_accounts_routes.py

@@ -620,16 +620,19 @@ def test_get_account_edit_unauthorized(client: TestClient, user: User):
     request = Request()
     sid = user.login(request, "testPassword")
 
-    create(User, Username="test2", Email="test2@example.org",
+    with db.begin():
-           Passwd="testPassword")
+        user2 = create(User, Username="test2", Email="test2@example.org",
+                       Passwd="testPassword", AccountTypeID=USER_ID)
 
+    endpoint = f"/account/{user2.Username}/edit"
     with client as request:
         # Try to edit `test2` while authenticated as `test`.
-        response = request.get("/account/test2/edit", cookies={
+        response = request.get(endpoint, cookies={"AURSID": sid},
-            "AURSID": sid
+                               allow_redirects=False)
-        }, allow_redirects=False)
+    assert response.status_code == int(HTTPStatus.SEE_OTHER)
 
-    assert response.status_code == int(HTTPStatus.UNAUTHORIZED)
+    expected = f"/account/{user2.Username}"
+    assert response.headers.get("location") == expected
 
 
 def test_post_account_edit(client: TestClient, user: User):
@@ -828,8 +831,9 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User):
     request = Request()
     sid = user.login(request, "testPassword")
 
-    create(User, Username="test2",
+    with db.begin():
-           Email="test2@example.org", Passwd="testPassword")
+        user2 = create(User, Username="test2", Email="test2@example.org",
+                       Passwd="testPassword", AccountTypeID=USER_ID)
 
     post_data = {
         "U": "test",
@@ -838,13 +842,15 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User):
         "passwd": "testPassword"
     }
 
+    endpoint = f"/account/{user2.Username}/edit"
     with client as request:
         # Attempt to edit 'test2' while logged in as 'test'.
-        response = request.post("/account/test2/edit", cookies={
+        response = request.post(endpoint, cookies={"AURSID": sid},
-            "AURSID": sid
+                                data=post_data, allow_redirects=False)
-        }, data=post_data, allow_redirects=False)
+    assert response.status_code == int(HTTPStatus.SEE_OTHER)
 
-    assert response.status_code == int(HTTPStatus.UNAUTHORIZED)
+    expected = f"/account/{user2.Username}"
+    assert response.headers.get("location") == expected
 
 
 def test_post_account_edit_ssh_pub_key(client: TestClient, user: User):