Redirect from stats views to login page if users are not logged in
Issue: HIC-291
Change-Id: Ib22fdeda5dd345c7875b369d0094ebecd9ee7567
diff --git a/crashreport_stats/permissions.py b/crashreport_stats/permissions.py
index c457f42..ab00fe8 100644
--- a/crashreport_stats/permissions.py
+++ b/crashreport_stats/permissions.py
@@ -8,12 +8,16 @@
def check_user_is_hiccup_staff(user):
"""Check if the user is part of the Hiccup staff.
- Returns: True if the user is part of the Hiccup staff group.
+ Returns:
+ True if the user is part of the Hiccup staff group, False if the user
+ is not logged in.
Raises:
PermissionDenied: If the user is not part of the Hiccup staff group.
"""
+ if not user.is_authenticated:
+ return False
if not user_is_hiccup_staff(user):
raise PermissionDenied(
"User %s not part of the %s group" % (user, FP_STAFF_GROUP_NAME)
diff --git a/crashreport_stats/tests/test_views.py b/crashreport_stats/tests/test_views.py
index ed41cbd..2423ddb 100644
--- a/crashreport_stats/tests/test_views.py
+++ b/crashreport_stats/tests/test_views.py
@@ -43,9 +43,9 @@
def test_home_view_no_auth(self):
"""Test that one can not access the home view without auth."""
- # Assert that the permission is denied
+ # Assert that the response is redirect to login page
self._assert_get_without_authentication_fails(
- self.home_url, expected_status=status.HTTP_403_FORBIDDEN
+ self.home_url, expected_status=status.HTTP_302_FOUND
)
def test_device_view_as_fp_staff(self):
@@ -67,12 +67,12 @@
def test_device_view_no_auth(self):
"""Test that non-authenticated users can not access the device view."""
- # Assert that the permission is denied.
+ # Assert that the response is a redirect to the login page.
self._assert_get_without_authentication_fails(
self._url_with_params(
self.device_url, {"uuid": self.device_owner_device.uuid}
),
- expected_status=status.HTTP_403_FORBIDDEN,
+ expected_status=status.HTTP_302_FOUND,
)
def test_versions_view_as_fp_staff(self):
@@ -88,9 +88,9 @@
def test_versions_view_no_auth(self):
"""Test one can not access the versions view without auth."""
- # Assert that the permission is denied
+ # Assert that the response is redirect to login page
self._assert_get_without_authentication_fails(
- self.versions_url, expected_status=status.HTTP_403_FORBIDDEN
+ self.versions_url, expected_status=status.HTTP_302_FOUND
)
def test_versions_all_view_as_fp_staff(self):
@@ -106,9 +106,9 @@
def test_versions_all_view_no_auth(self):
"""Test that one can not access the versions all view without auth."""
- # Assert that the permission is denied
+ # Assert that the response is redirect to login page
self._assert_get_without_authentication_fails(
- self.versions_all_url, expected_status=status.HTTP_403_FORBIDDEN
+ self.versions_all_url, expected_status=status.HTTP_302_FOUND
)
def test_home_view_post_as_fp_staff(self):
@@ -131,8 +131,8 @@
self.home_url, data={"uuid": str(self.device_owner_device.uuid)}
)
- # Assert that the permission is denied
- self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+ # Assert that the response is redirect to the login page
+ self.assertEqual(response.status_code, status.HTTP_302_FOUND)
def test_home_view_post_as_device_owner(self):
"""Test HTTP POST method to home view as device owner."""
diff --git a/crashreport_stats/tests/utils.py b/crashreport_stats/tests/utils.py
index 78ecf32..ae92921 100644
--- a/crashreport_stats/tests/utils.py
+++ b/crashreport_stats/tests/utils.py
@@ -175,6 +175,7 @@
cls.device_owner_client.credentials(
HTTP_AUTHORIZATION="Token " + cls.device_owner_user.auth_token.key
)
+ cls.device_owner_client.force_login(cls.device_owner_user)
def _assert_get_as_fp_staff_succeeds(
self, url, expected_status=status.HTTP_200_OK