Mixin: check that siae_id is numeric. Add test

gip-inclusion · Sep 14, 2023 · e2702c1 · e2702c1
1 parent 052e88b
commit e2702c1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/lemarche/utils/mixins.py b/lemarche/utils/mixins.py
@@ -171,13 +171,13 @@ def handle_no_permission(self):
         return HttpResponseRedirect(reverse_lazy("wagtail_serve", args=("",)))
 
 
-class LoginRequiredOrSiaeIdParamMixin(UserPassesTestMixin):
+class SiaeUserRequiredOrSiaeIdParamMixin(UserPassesTestMixin):
     def test_func(self):
         siae_id = self.request.GET.get("siae_id", None)
-        return self.request.user.is_authenticated or siae_id
+        return SiaeUserRequiredMixin.test_func(self) or (siae_id and siae_id.isnumeric())
 
     def handle_no_permission(self):
-        return LoginRequiredUserPassesTestMixin.dispatch(self, self.request)
+        return HttpResponseForbidden()
 
 
 class SesameTokenRequiredUserPassesTestMixin(UserPassesTestMixin):

diff --git a/lemarche/www/tenders/tests.py b/lemarche/www/tenders/tests.py
@@ -893,6 +893,11 @@ def test_only_siae_user_or_with_siae_id_param_can_call_tender_contact_click(self
         )
         response = self.client.post(url, data={"detail_contact_click_confirm": "false"})
         self.assertEqual(response.status_code, 302)
+        # forbidden because wrong siae_id parameter
+        self.client.logout()
+        url = reverse("tenders:detail-contact-click-stat", kwargs={"slug": self.tender.slug}) + "?siae_id=test"
+        response = self.client.post(url, data={"detail_contact_click_confirm": "false"})
+        self.assertEqual(response.status_code, 403)
 
     def test_update_tendersiae_stats_on_tender_contact_click(self):
         siae_2 = SiaeFactory(name="ABC Insertion")

diff --git a/lemarche/www/tenders/views.py b/lemarche/www/tenders/views.py
@@ -18,8 +18,8 @@
 from lemarche.users.models import User
 from lemarche.utils.data import get_choice
 from lemarche.utils.mixins import (
-    LoginRequiredOrSiaeIdParamMixin,
     SesameTenderAuthorRequiredMixin,
+    SiaeUserRequiredOrSiaeIdParamMixin,
     TenderAuthorOrAdminRequiredIfNotValidatedMixin,
     TenderAuthorOrAdminRequiredMixin,
 )
@@ -347,7 +347,7 @@ def get_context_data(self, **kwargs):
         return context
 
 
-class TenderDetailContactClickStatView(LoginRequiredOrSiaeIdParamMixin, UpdateView):
+class TenderDetailContactClickStatView(SiaeUserRequiredOrSiaeIdParamMixin, UpdateView):
     """
     Endpoint to track contact_clicks by interested Siaes
     We might also send a notification to the buyer