def test_correct_organizer_permission(client, env, perm, url, code): op = OrganizerPermission( organizer=env[2], user=env[1], ) if perm: setattr(op, perm, True) op.save() client.login(identifier='*****@*****.**', password='******') response = client.get('/control/' + url) assert response.status_code == code
def test_wrong_organizer_permission(client, env, perm, url, code): if perm: op = OrganizerPermission( organizer=env[2], user=env[1], ) setattr(op, perm, False) op.save() client.login(email='*****@*****.**', password='******') response = client.get('/control/' + url) assert response.status_code == 403
def test_correct_organizer_permission(client, env, perm, url, code): op = OrganizerPermission( organizer=env[2], user=env[1], ) if perm: setattr(op, perm, True) op.save() client.login(email='*****@*****.**', password='******') response = client.get('/control/' + url) assert response.status_code == code
def test_wrong_organizer_permission(perf_patch, client, env, perm, url, code): if perm: op = OrganizerPermission( organizer=env[2], user=env[1], ) setattr(op, perm, False) op.save() client.login(email='*****@*****.**', password='******') response = client.get('/control/' + url) assert response.status_code == 403
def process_request(self, request): url = resolve(request.path_info) url_name = url.url_name if not request.path.startswith(get_script_prefix() + 'control'): # This middleware should only touch the /control subpath return if hasattr(request, 'organizer'): # If the user is on a organizer's subdomain, he should be redirected to pretix return redirect(urljoin(settings.SITE_URL, request.get_full_path())) if url_name in self.EXCEPTIONS: return if not request.user.is_authenticated: # Taken from django/contrib/auth/decorators.py path = request.build_absolute_uri() # urlparse chokes on lazy objects in Python 3, force to str resolved_login_url = force_str( resolve_url(settings.LOGIN_URL_CONTROL)) # If the login url is the same scheme and net location then just # use the path as the "next" url. login_scheme, login_netloc = urlparse(resolved_login_url)[:2] current_scheme, current_netloc = urlparse(path)[:2] if ((not login_scheme or login_scheme == current_scheme) and (not login_netloc or login_netloc == current_netloc)): path = request.get_full_path() from django.contrib.auth.views import redirect_to_login return redirect_to_login(path, resolved_login_url, REDIRECT_FIELD_NAME) events = Event.objects.all( ) if request.user.is_superuser else request.user.events request.user.events_cache = events.order_by( "organizer", "date_from").prefetch_related("organizer") if 'event' in url.kwargs and 'organizer' in url.kwargs: try: if request.user.is_superuser: request.event = Event.objects.filter( slug=url.kwargs['event'], organizer__slug=url.kwargs['organizer'], ).select_related('organizer')[0] request.eventperm = EventPermission(event=request.event, user=request.user) else: request.event = Event.objects.filter( slug=url.kwargs['event'], permitted__id__exact=request.user.id, organizer__slug=url.kwargs['organizer'], ).select_related('organizer')[0] request.eventperm = EventPermission.objects.get( event=request.event, user=request.user) request.organizer = request.event.organizer except IndexError: raise Http404( _("The selected event was not found or you " "have no permission to administrate it.")) elif 'organizer' in url.kwargs: try: if request.user.is_superuser: request.organizer = Organizer.objects.filter( slug=url.kwargs['organizer'], )[0] request.orgaperm = OrganizerPermission( organizer=request.organizer, user=request.user) else: request.organizer = Organizer.objects.filter( slug=url.kwargs['organizer'], permitted__id__exact=request.user.id, )[0] request.orgaperm = OrganizerPermission.objects.get( organizer=request.organizer, user=request.user) except IndexError: raise Http404( _("The selected organizer was not found or you " "have no permission to administrate it."))