Merge branch 'fix-account-links' into pu

aurweb/routers/accounts.py

@@ -329,13 +329,23 @@ async def account_register_post(request: Request,
     return render_template(request, "register.html", context)
 
 
-def cannot_edit(request, user):
-    """ Return a 401 HTMLResponse if the request user doesn't
-    have authorization, otherwise None. """
-    has_dev_cred = request.user.has_credential(creds.ACCOUNT_EDIT_DEV,
-                                               approved=[user])
-    if not has_dev_cred:
-        return HTMLResponse(status_code=HTTPStatus.UNAUTHORIZED)
+def cannot_edit(request: Request, user: models.User) \
+        -> typing.Optional[RedirectResponse]:
+    """
+    Decide if `request.user` cannot edit `user`.
+
+    If the request user can edit the target user, None is returned.
+    Otherwise, a redirect is returned to /account/{user.Username}.
+
+    :param request: FastAPI request
+    :param user: Target user to be edited
+    :return: RedirectResponse if approval != granted else None
+    """
+    approved = request.user.has_credential(creds.ACCOUNT_EDIT, approved=[user])
+    if not approved and (to := "/"):
+        if user:
+            to = f"/account/{user.Username}"
+        return RedirectResponse(to, status_code=HTTPStatus.SEE_OTHER)
     return None
 
 

templates/account/show.html

@@ -69,6 +69,7 @@
                                                     | safe
                                                     }}
                                                 </li>
+                                                {% if request.user.has_credential(creds.ACCOUNT_EDIT, approved=[user]) %}
                                                     <li>
                                                         {{ "%sEdit this user's account%s"
                                                         | tr
@@ -76,6 +77,8 @@
                                                         | safe
                                                         }}
                                                     </li>
+                                                {% endif %}
+                                                {% if request.user.has_credential(creds.ACCOUNT_LIST_COMMENTS, approved=[user]) %}
                                                     <li>
                                                         {{ "%sList this user's comments%s"
                                                         | tr
@@ -83,6 +86,7 @@
                                                         | safe
                                                         }}
                                                     </li>
+                                                {% endif %}
                                             </ul>
                                         </td>
                                     </tr>

test/test_accounts_routes.py

@@ -620,16 +620,19 @@ def test_get_account_edit_unauthorized(client: TestClient, user: User):
     request = Request()
     sid = user.login(request, "testPassword")
 
-    create(User, Username="test2", Email="test2@example.org",
-           Passwd="testPassword")
+    with db.begin():
+        user2 = create(User, Username="test2", Email="test2@example.org",
+                       Passwd="testPassword", AccountTypeID=USER_ID)
 
+    endpoint = f"/account/{user2.Username}/edit"
     with client as request:
         # Try to edit `test2` while authenticated as `test`.
-        response = request.get("/account/test2/edit", cookies={
-            "AURSID": sid
-        }, allow_redirects=False)
+        response = request.get(endpoint, cookies={"AURSID": sid},
+                               allow_redirects=False)
+    assert response.status_code == int(HTTPStatus.SEE_OTHER)
 
-    assert response.status_code == int(HTTPStatus.UNAUTHORIZED)
+    expected = f"/account/{user2.Username}"
+    assert response.headers.get("location") == expected
 
 
 def test_post_account_edit(client: TestClient, user: User):
@@ -828,8 +831,9 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User):
     request = Request()
     sid = user.login(request, "testPassword")
 
-    create(User, Username="test2",
-           Email="test2@example.org", Passwd="testPassword")
+    with db.begin():
+        user2 = create(User, Username="test2", Email="test2@example.org",
+                       Passwd="testPassword", AccountTypeID=USER_ID)
 
     post_data = {
         "U": "test",
@@ -838,13 +842,15 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User):
         "passwd": "testPassword"
     }
 
+    endpoint = f"/account/{user2.Username}/edit"
     with client as request:
         # Attempt to edit 'test2' while logged in as 'test'.
-        response = request.post("/account/test2/edit", cookies={
-            "AURSID": sid
-        }, data=post_data, allow_redirects=False)
+        response = request.post(endpoint, cookies={"AURSID": sid},
+                                data=post_data, allow_redirects=False)
+    assert response.status_code == int(HTTPStatus.SEE_OTHER)
 
-    assert response.status_code == int(HTTPStatus.UNAUTHORIZED)
+    expected = f"/account/{user2.Username}"
+    assert response.headers.get("location") == expected
 
 
 def test_post_account_edit_ssh_pub_key(client: TestClient, user: User):