diff --git a/aurweb/routers/accounts.py b/aurweb/routers/accounts.py index 946ffc31..fc25a7e8 100644 --- a/aurweb/routers/accounts.py +++ b/aurweb/routers/accounts.py @@ -329,13 +329,23 @@ async def account_register_post(request: Request, return render_template(request, "register.html", context) -def cannot_edit(request, user): - """ Return a 401 HTMLResponse if the request user doesn't - have authorization, otherwise None. """ - has_dev_cred = request.user.has_credential(creds.ACCOUNT_EDIT_DEV, - approved=[user]) - if not has_dev_cred: - return HTMLResponse(status_code=HTTPStatus.UNAUTHORIZED) +def cannot_edit(request: Request, user: models.User) \ + -> typing.Optional[RedirectResponse]: + """ + Decide if `request.user` cannot edit `user`. + + If the request user can edit the target user, None is returned. + Otherwise, a redirect is returned to /account/{user.Username}. + + :param request: FastAPI request + :param user: Target user to be edited + :return: RedirectResponse if approval != granted else None + """ + approved = request.user.has_credential(creds.ACCOUNT_EDIT, approved=[user]) + if not approved and (to := "/"): + if user: + to = f"/account/{user.Username}" + return RedirectResponse(to, status_code=HTTPStatus.SEE_OTHER) return None diff --git a/templates/account/show.html b/templates/account/show.html index 23b262b0..e1074394 100644 --- a/templates/account/show.html +++ b/templates/account/show.html @@ -69,20 +69,24 @@ | safe }} -
  • - {{ "%sEdit this user's account%s" - | tr - | format('' | format(user.Username), "") - | safe - }} -
    • -
  • - {{ "%sList this user's comments%s" - | tr - | format('' | format(user.Username), "") - | safe - }} -
    • + {% if request.user.has_credential(creds.ACCOUNT_EDIT, approved=[user]) %} +
  • + {{ "%sEdit this user's account%s" + | tr + | format('' | format(user.Username), "") + | safe + }} +
    • + {% endif %} + {% if request.user.has_credential(creds.ACCOUNT_LIST_COMMENTS, approved=[user]) %} +
  • + {{ "%sList this user's comments%s" + | tr + | format('' | format(user.Username), "") + | safe + }} +
    • + {% endif %} diff --git a/test/test_accounts_routes.py b/test/test_accounts_routes.py index f08efcd2..348a6994 100644 --- a/test/test_accounts_routes.py +++ b/test/test_accounts_routes.py @@ -620,16 +620,19 @@ def test_get_account_edit_unauthorized(client: TestClient, user: User): request = Request() sid = user.login(request, "testPassword") - create(User, Username="test2", Email="test2@example.org", - Passwd="testPassword") + with db.begin(): + user2 = create(User, Username="test2", Email="test2@example.org", + Passwd="testPassword", AccountTypeID=USER_ID) + endpoint = f"/account/{user2.Username}/edit" with client as request: # Try to edit `test2` while authenticated as `test`. - response = request.get("/account/test2/edit", cookies={ - "AURSID": sid - }, allow_redirects=False) + response = request.get(endpoint, cookies={"AURSID": sid}, + allow_redirects=False) + assert response.status_code == int(HTTPStatus.SEE_OTHER) - assert response.status_code == int(HTTPStatus.UNAUTHORIZED) + expected = f"/account/{user2.Username}" + assert response.headers.get("location") == expected def test_post_account_edit(client: TestClient, user: User): @@ -828,8 +831,9 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User): request = Request() sid = user.login(request, "testPassword") - create(User, Username="test2", - Email="test2@example.org", Passwd="testPassword") + with db.begin(): + user2 = create(User, Username="test2", Email="test2@example.org", + Passwd="testPassword", AccountTypeID=USER_ID) post_data = { "U": "test", @@ -838,13 +842,15 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User): "passwd": "testPassword" } + endpoint = f"/account/{user2.Username}/edit" with client as request: # Attempt to edit 'test2' while logged in as 'test'. - response = request.post("/account/test2/edit", cookies={ - "AURSID": sid - }, data=post_data, allow_redirects=False) + response = request.post(endpoint, cookies={"AURSID": sid}, + data=post_data, allow_redirects=False) + assert response.status_code == int(HTTPStatus.SEE_OTHER) - assert response.status_code == int(HTTPStatus.UNAUTHORIZED) + expected = f"/account/{user2.Username}" + assert response.headers.get("location") == expected def test_post_account_edit_ssh_pub_key(client: TestClient, user: User):