external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'fix-account-links' into pu

Browse source
This commit is contained in:
Kevin Morris 2021-12-04 00:25:57 -08:00
commit f8bef16d32
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
3 changed files with 53 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
aurweb/routers/accounts.py
View file

@ -329,13 +329,23 @@ async def account_register_post(request: Request,
return render_template(request, "register.html", context)
def cannot_edit(request, user):
""" Return a 401 HTMLResponse if the request user doesn't
have authorization, otherwise None. """
has_dev_cred = request.user.has_credential(creds.ACCOUNT_EDIT_DEV,
approved=[user])
if not has_dev_cred:
return HTMLResponse(status_code=HTTPStatus.UNAUTHORIZED)
def cannot_edit(request: Request, user: models.User) \
-> typing.Optional[RedirectResponse]:
"""
Decide if `request.user` cannot edit `user`.
If the request user can edit the target user, None is returned.
Otherwise, a redirect is returned to /account/{user.Username}.
:param request: FastAPI request
:param user: Target user to be edited
:return: RedirectResponse if approval != granted else None
"""
approved = request.user.has_credential(creds.ACCOUNT_EDIT, approved=[user])
if not approved and (to := "/"):
if user:
to = f"/account/{user.Username}"
return RedirectResponse(to, status_code=HTTPStatus.SEE_OTHER)
return None

32
templates/account/show.html
View file

@ -69,20 +69,24 @@
| safe
}}
</li>
<li>
{{ "%sEdit this user's account%s"
| tr
| format('<a href="/account/%s/edit">' | format(user.Username), "</a>")
| safe
}}
</li>
<li>
{{ "%sList this user's comments%s"
| tr
| format('<a href="/account/%s/comments">' | format(user.Username), "</a>")
| safe
}}
</li>
{% if request.user.has_credential(creds.ACCOUNT_EDIT, approved=[user]) %}
<li>
{{ "%sEdit this user's account%s"
| tr
| format('<a href="/account/%s/edit">' | format(user.Username), "</a>")
| safe
}}
</li>
{% endif %}
{% if request.user.has_credential(creds.ACCOUNT_LIST_COMMENTS, approved=[user]) %}
<li>
{{ "%sList this user's comments%s"
| tr
| format('<a href="/account/%s/comments">' | format(user.Username), "</a>")
| safe
}}
</li>
{% endif %}
</ul>
</td>
</tr>

30
test/test_accounts_routes.py
View file

@ -620,16 +620,19 @@ def test_get_account_edit_unauthorized(client: TestClient, user: User):
request = Request()
sid = user.login(request, "testPassword")
create(User, Username="test2", Email="test2@example.org",
Passwd="testPassword")
with db.begin():
user2 = create(User, Username="test2", Email="test2@example.org",
Passwd="testPassword", AccountTypeID=USER_ID)
endpoint = f"/account/{user2.Username}/edit"
with client as request:
# Try to edit `test2` while authenticated as `test`.
response = request.get("/account/test2/edit", cookies={
"AURSID": sid
}, allow_redirects=False)
response = request.get(endpoint, cookies={"AURSID": sid},
allow_redirects=False)
assert response.status_code == int(HTTPStatus.SEE_OTHER)
assert response.status_code == int(HTTPStatus.UNAUTHORIZED)
expected = f"/account/{user2.Username}"
assert response.headers.get("location") == expected
def test_post_account_edit(client: TestClient, user: User):
@ -828,8 +831,9 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User):
request = Request()
sid = user.login(request, "testPassword")
create(User, Username="test2",
Email="test2@example.org", Passwd="testPassword")
with db.begin():
user2 = create(User, Username="test2", Email="test2@example.org",
Passwd="testPassword", AccountTypeID=USER_ID)
post_data = {
"U": "test",
@ -838,13 +842,15 @@ def test_post_account_edit_error_unauthorized(client: TestClient, user: User):
"passwd": "testPassword"
}
endpoint = f"/account/{user2.Username}/edit"
with client as request:
# Attempt to edit 'test2' while logged in as 'test'.
response = request.post("/account/test2/edit", cookies={
"AURSID": sid
}, data=post_data, allow_redirects=False)
response = request.post(endpoint, cookies={"AURSID": sid},
data=post_data, allow_redirects=False)
assert response.status_code == int(HTTPStatus.SEE_OTHER)
assert response.status_code == int(HTTPStatus.UNAUTHORIZED)
expected = f"/account/{user2.Username}"
assert response.headers.get("location") == expected
def test_post_account_edit_ssh_pub_key(client: TestClient, user: User):