From 46e28a8cc3b714d6b029afffe83f6757124c2ecd Mon Sep 17 00:00:00 2001 From: Raphael Odini Date: Thu, 14 Sep 2023 10:13:51 +0200 Subject: [PATCH] Mixin: check that siae_id is numeric. Add test --- lemarche/utils/mixins.py | 6 +++--- lemarche/www/tenders/tests.py | 7 ++++++- lemarche/www/tenders/views.py | 4 ++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/lemarche/utils/mixins.py b/lemarche/utils/mixins.py index c082b848b..3894a30ea 100644 --- a/lemarche/utils/mixins.py +++ b/lemarche/utils/mixins.py @@ -171,13 +171,13 @@ def handle_no_permission(self): return HttpResponseRedirect(reverse_lazy("wagtail_serve", args=("",))) -class LoginRequiredOrSiaeIdParamMixin(UserPassesTestMixin): +class SiaeUserRequiredOrSiaeIdParamMixin(UserPassesTestMixin): def test_func(self): siae_id = self.request.GET.get("siae_id", None) - return self.request.user.is_authenticated or siae_id + return SiaeUserRequiredMixin.test_func(self) or (siae_id and siae_id.isnumeric()) def handle_no_permission(self): - return LoginRequiredUserPassesTestMixin.dispatch(self, self.request) + return HttpResponseForbidden() class SesameTokenRequiredUserPassesTestMixin(UserPassesTestMixin): diff --git a/lemarche/www/tenders/tests.py b/lemarche/www/tenders/tests.py index 48d7c5c26..dfebfaa93 100644 --- a/lemarche/www/tenders/tests.py +++ b/lemarche/www/tenders/tests.py @@ -870,7 +870,7 @@ def setUpTestData(cls): def test_anonymous_user_cannot_call_tender_contact_click(self): url = reverse("tenders:detail-contact-click-stat", kwargs={"slug": self.tender.slug}) response = self.client.post(url) - self.assertEqual(response.status_code, 302) + self.assertEqual(response.status_code, 403) def test_only_siae_user_or_with_siae_id_param_can_call_tender_contact_click(self): # forbidden @@ -893,6 +893,11 @@ def test_only_siae_user_or_with_siae_id_param_can_call_tender_contact_click(self ) response = self.client.post(url, data={"detail_contact_click_confirm": "false"}) self.assertEqual(response.status_code, 302) + # forbidden because wrong siae_id parameter + self.client.logout() + url = reverse("tenders:detail-contact-click-stat", kwargs={"slug": self.tender.slug}) + "?siae_id=test" + response = self.client.post(url, data={"detail_contact_click_confirm": "false"}) + self.assertEqual(response.status_code, 403) def test_update_tendersiae_stats_on_tender_contact_click(self): siae_2 = SiaeFactory(name="ABC Insertion") diff --git a/lemarche/www/tenders/views.py b/lemarche/www/tenders/views.py index 23f0514a3..3738cd6e6 100644 --- a/lemarche/www/tenders/views.py +++ b/lemarche/www/tenders/views.py @@ -18,8 +18,8 @@ from lemarche.users.models import User from lemarche.utils.data import get_choice from lemarche.utils.mixins import ( - LoginRequiredOrSiaeIdParamMixin, SesameTenderAuthorRequiredMixin, + SiaeUserRequiredOrSiaeIdParamMixin, TenderAuthorOrAdminRequiredIfNotValidatedMixin, TenderAuthorOrAdminRequiredMixin, ) @@ -347,7 +347,7 @@ def get_context_data(self, **kwargs): return context -class TenderDetailContactClickStatView(LoginRequiredOrSiaeIdParamMixin, UpdateView): +class TenderDetailContactClickStatView(SiaeUserRequiredOrSiaeIdParamMixin, UpdateView): """ Endpoint to track contact_clicks by interested Siaes We might also send a notification to the buyer