Verified Commit 059733cb authored by Kevin Morris's avatar Kevin Morris
Browse files

fix(routers.trusted_user): use creds to determine authorization

Closes #237



Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
parent 9d221604
Pipeline #14359 passed with stages
in 5 minutes and 50 seconds
......@@ -10,8 +10,7 @@ from fastapi.responses import RedirectResponse, Response
from sqlalchemy import and_, or_
from aurweb import db, l10n, logging, models
from aurweb.auth import account_type_required, requires_auth
from aurweb.models.account_type import DEVELOPER, TRUSTED_USER, TRUSTED_USER_AND_DEV
from aurweb.auth import creds, requires_auth
from aurweb.templates import make_context, make_variable_context, render_template
router = APIRouter()
......@@ -21,13 +20,6 @@ logger = logging.get_logger(__name__)
ITEMS_PER_PAGE = 10 # Paged table size.
MAX_AGENDA_LENGTH = 75 # Agenda table column length.
# A set of account types that will approve a user for TU actions.
REQUIRED_TYPES = {
TRUSTED_USER,
DEVELOPER,
TRUSTED_USER_AND_DEV
}
ADDVOTE_SPECIFICS = {
# This dict stores a vote duration and quorum for a proposal.
# When a proposal is added, duration is added to the current
......@@ -42,12 +34,14 @@ ADDVOTE_SPECIFICS = {
@router.get("/tu")
@requires_auth
@account_type_required(REQUIRED_TYPES)
async def trusted_user(request: Request,
coff: int = 0, # current offset
cby: str = "desc", # current by
poff: int = 0, # past offset
pby: str = "desc"): # past by
if not request.user.has_credential(creds.TU_LIST_VOTES):
return RedirectResponse("/", status_code=HTTPStatus.SEE_OTHER)
context = make_context(request, "Trusted User")
current_by, past_by = cby, pby
......@@ -113,9 +107,7 @@ async def trusted_user(request: Request,
return render_template(request, "tu/index.html", context)
def render_proposal(request: Request,
context: dict,
proposal: int,
def render_proposal(request: Request, context: dict, proposal: int,
voteinfo: models.TUVoteInfo,
voters: typing.Iterable[models.User],
vote: models.TUVote,
......@@ -148,8 +140,10 @@ def render_proposal(request: Request,
@router.get("/tu/{proposal}")
@requires_auth
@account_type_required(REQUIRED_TYPES)
async def trusted_user_proposal(request: Request, proposal: int):
if not request.user.has_credential(creds.TU_LIST_VOTES):
return RedirectResponse("/tu", status_code=HTTPStatus.SEE_OTHER)
context = await make_variable_context(request, "Trusted User")
proposal = int(proposal)
......@@ -163,10 +157,9 @@ async def trusted_user_proposal(request: Request, proposal: int):
vote = db.query(models.TUVote).filter(
and_(models.TUVote.UserID == request.user.ID,
models.TUVote.VoteID == voteinfo.ID)).first()
if not request.user.is_trusted_user():
if not request.user.has_credential(creds.TU_VOTE):
context["error"] = "Only Trusted Users are allowed to vote."
elif voteinfo.User == request.user.Username:
if voteinfo.User == request.user.Username:
context["error"] = "You cannot vote in an proposal about you."
elif vote is not None:
context["error"] = "You've already voted for this proposal."
......@@ -177,10 +170,11 @@ async def trusted_user_proposal(request: Request, proposal: int):
@router.post("/tu/{proposal}")
@requires_auth
@account_type_required(REQUIRED_TYPES)
async def trusted_user_proposal_post(request: Request,
proposal: int,
async def trusted_user_proposal_post(request: Request, proposal: int,
decision: str = Form(...)):
if not request.user.has_credential(creds.TU_LIST_VOTES):
return RedirectResponse("/tu", status_code=HTTPStatus.SEE_OTHER)
context = await make_variable_context(request, "Trusted User")
proposal = int(proposal) # Make sure it's an int.
......@@ -196,7 +190,7 @@ async def trusted_user_proposal_post(request: Request,
models.TUVote.VoteID == voteinfo.ID)).first()
status_code = HTTPStatus.OK
if not request.user.is_trusted_user():
if not request.user.has_credential(creds.TU_VOTE):
context["error"] = "Only Trusted Users are allowed to vote."
status_code = HTTPStatus.UNAUTHORIZED
elif voteinfo.User == request.user.Username:
......@@ -228,11 +222,11 @@ async def trusted_user_proposal_post(request: Request,
@router.get("/addvote")
@requires_auth
@account_type_required({TRUSTED_USER, TRUSTED_USER_AND_DEV})
async def trusted_user_addvote(request: Request,
user: str = str(),
type: str = "add_tu",
agenda: str = str()):
async def trusted_user_addvote(request: Request, user: str = str(),
type: str = "add_tu", agenda: str = str()):
if not request.user.has_credential(creds.TU_ADD_VOTE):
return RedirectResponse("/tu", status_code=HTTPStatus.SEE_OTHER)
context = await make_variable_context(request, "Add Proposal")
if type not in ADDVOTE_SPECIFICS:
......@@ -248,11 +242,13 @@ async def trusted_user_addvote(request: Request,
@router.post("/addvote")
@requires_auth
@account_type_required({TRUSTED_USER, TRUSTED_USER_AND_DEV})
async def trusted_user_addvote_post(request: Request,
user: str = Form(default=str()),
type: str = Form(default=str()),
agenda: str = Form(default=str())):
if not request.user.has_credential(creds.TU_ADD_VOTE):
return RedirectResponse("/tu", status_code=HTTPStatus.SEE_OTHER)
# Build a context.
context = await make_variable_context(request, "Add Proposal")
......
<div class="box">
<h2>{% trans %}{{ title }}{% endtrans %}</h2>
{% if title == "Current Votes" %}
{% if title == "Current Votes" and request.user.has_credential(creds.TU_ADD_VOTE) %}
<ul class="admin-actions">
<li>
<a href="/addvote">
......
......@@ -1857,3 +1857,11 @@ def test_account_comments_not_found(client: TestClient, user: User):
with client as request:
resp = request.get("/account/non-existent/comments", cookies=cookies)
assert resp.status_code == int(HTTPStatus.NOT_FOUND)
def test_accounts_unauthorized(client: TestClient, user: User):
cookies = {"AURSID": user.login(Request(), "testPassword")}
with client as request:
resp = request.get("/accounts", cookies=cookies, allow_redirects=False)
assert resp.status_code == int(HTTPStatus.SEE_OTHER)
assert resp.headers.get("location") == "/"
......@@ -11,7 +11,7 @@ import pytest
from fastapi.testclient import TestClient
from aurweb import config, db, util
from aurweb.models.account_type import AccountType
from aurweb.models.account_type import DEVELOPER_ID, AccountType
from aurweb.models.tu_vote import TUVote
from aurweb.models.tu_voteinfo import TUVoteInfo
from aurweb.models.user import User
......@@ -134,7 +134,7 @@ def test_tu_index_guest(client):
assert response.headers.get("location") == f"/login?{params}"
def test_tu_index_unauthorized(client, user):
def test_tu_index_unauthorized(client: TestClient, user: User):
cookies = {"AURSID": user.login(Request(), "testPassword")}
with client as request:
# Login as a normal user, not a TU.
......@@ -478,6 +478,24 @@ def test_tu_proposal_not_found(client, tu_user):
assert response.status_code == int(HTTPStatus.NOT_FOUND)
def test_tu_proposal_unauthorized(client: TestClient, user: User,
proposal: Tuple[User, User, TUVoteInfo]):
cookies = {"AURSID": user.login(Request(), "testPassword")}
endpoint = f"/tu/{proposal[2].ID}"
with client as request:
response = request.get(endpoint, cookies=cookies,
allow_redirects=False)
assert response.status_code == int(HTTPStatus.SEE_OTHER)
assert response.headers.get("location") == "/tu"
with client as request:
response = request.post(endpoint, cookies=cookies,
data={"decision": False},
allow_redirects=False)
assert response.status_code == int(HTTPStatus.SEE_OTHER)
assert response.headers.get("location") == "/tu"
def test_tu_running_proposal(client: TestClient,
proposal: Tuple[User, User, TUVoteInfo]):
tu_user, user, voteinfo = proposal
......@@ -641,13 +659,12 @@ def test_tu_proposal_vote(client, proposal):
assert status == "You've already voted for this proposal."
def test_tu_proposal_vote_unauthorized(client, proposal):
def test_tu_proposal_vote_unauthorized(
client: TestClient, proposal: Tuple[User, User, TUVoteInfo]):
tu_user, user, voteinfo = proposal
dev_type = db.query(AccountType,
AccountType.AccountType == "Developer").first()
with db.begin():
tu_user.AccountType = dev_type
tu_user.AccountTypeID = DEVELOPER_ID
cookies = {"AURSID": tu_user.login(Request(), "testPassword")}
with client as request:
......@@ -749,6 +766,22 @@ def test_tu_addvote(client: TestClient, tu_user: User):
assert response.status_code == int(HTTPStatus.OK)
def test_tu_addvote_unauthorized(client: TestClient, user: User,
proposal: Tuple[User, User, TUVoteInfo]):
cookies = {"AURSID": user.login(Request(), "testPassword")}
with client as request:
response = request.get("/addvote", cookies=cookies,
allow_redirects=False)
assert response.status_code == int(HTTPStatus.SEE_OTHER)
assert response.headers.get("location") == "/tu"
with client as request:
response = request.post("/addvote", cookies=cookies,
allow_redirects=False)
assert response.status_code == int(HTTPStatus.SEE_OTHER)
assert response.headers.get("location") == "/tu"
def test_tu_addvote_invalid_type(client: TestClient, tu_user: User):
cookies = {"AURSID": tu_user.login(Request(), "testPassword")}
with client as request:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment