Return permission denied instead of redirecting in stats views
Return a 403 permission denied error if a user is not part of the
Fairphone staff group. This breaks the infinite redirect loop.
Issue: HIC-260
Change-Id: I682127c2165f826257a84b0bf246fc9fb86813ea
diff --git a/crashreport_stats/permissions.py b/crashreport_stats/permissions.py
new file mode 100644
index 0000000..c457f42
--- /dev/null
+++ b/crashreport_stats/permissions.py
@@ -0,0 +1,21 @@
+"""Permissions for accessing the stats API."""
+from django.core.exceptions import PermissionDenied
+
+from crashreports.permissions import user_is_hiccup_staff
+from hiccup.allauth_adapters import FP_STAFF_GROUP_NAME
+
+
+def check_user_is_hiccup_staff(user):
+ """Check if the user is part of the Hiccup staff.
+
+ Returns: True if the user is part of the Hiccup staff group.
+
+ Raises:
+ PermissionDenied: If the user is not part of the Hiccup staff group.
+
+ """
+ if not user_is_hiccup_staff(user):
+ raise PermissionDenied(
+ "User %s not part of the %s group" % (user, FP_STAFF_GROUP_NAME)
+ )
+ return True