auth: add check_user to replace user_passes_test

To explicitly return a 403 instead of silently redirecting.

itou/utils/auth.py

@@ -0,0 +1,17 @@
+from functools import wraps
+
+from django.core.exceptions import PermissionDenied
+
+
+def check_user(test_func, err_msg=""):
+    def decorator(view_func):
+        def _check_user_view_wrapper(request, *args, **kwargs):
+            test_pass = test_func(request.user)
+
+            if test_pass:
+                return view_func(request, *args, **kwargs)
+            raise PermissionDenied(err_msg)
+
+        return wraps(view_func)(_check_user_view_wrapper)
+
+    return decorator

itou/www/apply/views/list_views.py

@@ -2,11 +2,11 @@
 from collections import defaultdict
 
 from django.conf import settings
-from django.contrib.auth.decorators import login_required, user_passes_test
+from django.contrib.auth.decorators import login_required
 from django.db import models
 from django.db.models import Count, Exists, F, OuterRef, Q, Subquery
 from django.shortcuts import render
-from django.urls import reverse, reverse_lazy
+from django.urls import reverse
 from django.utils import timezone
 from django.utils.text import slugify
 
@@ -15,6 +15,7 @@
 from itou.job_applications.export import stream_xlsx_export
 from itou.job_applications.models import JobApplication, JobApplicationWorkflow
 from itou.rdv_insertion.models import InvitationRequest, Participation
+from itou.utils.auth import check_user
 from itou.utils.pagination import pager
 from itou.utils.perms.company import get_current_company_or_404
 from itou.utils.urls import get_safe_url
@@ -84,7 +85,7 @@ def _add_administrative_criteria(job_applications):
 
 
 @login_required
-@user_passes_test(lambda u: u.is_job_seeker, login_url=reverse_lazy("search:employers_home"), redirect_field_name=None)
+@check_user(lambda u: u.is_job_seeker)
 def list_for_job_seeker(request, template_name="apply/list_for_job_seeker.html"):
     """
     List of applications for a job seeker.
@@ -155,11 +156,7 @@ def annotate_title(base_title, archived_choice):
 
 
 @login_required
-@user_passes_test(
-    lambda u: u.is_prescriber or u.is_employer,
-    login_url=reverse_lazy("search:employers_home"),
-    redirect_field_name=None,
-)
+@check_user(lambda u: u.is_prescriber or u.is_employer)
 def list_prescriptions(request, template_name="apply/list_prescriptions.html"):
     """
     List of applications for a prescriber.
@@ -201,11 +198,7 @@ def list_prescriptions(request, template_name="apply/list_prescriptions.html"):
 
 
 @login_required
-@user_passes_test(
-    lambda u: u.is_prescriber or u.is_employer,
-    login_url=reverse_lazy("search:employers_home"),
-    redirect_field_name=None,
-)
+@check_user(lambda u: u.is_prescriber or u.is_employer)
 def list_prescriptions_exports(request, template_name="apply/list_of_available_exports.html"):
     """
     List of applications for a prescriber, sorted by month, displaying the count of applications per month
@@ -226,11 +219,7 @@ def list_prescriptions_exports(request, template_name="apply/list_of_available_e
 
 
 @login_required
-@user_passes_test(
-    lambda u: u.is_prescriber or u.is_employer,
-    login_url=reverse_lazy("search:employers_home"),
-    redirect_field_name=None,
-)
+@check_user(lambda u: u.is_prescriber or u.is_employer)
 def list_prescriptions_exports_download(request, month_identifier=None):
     """
     List of applications for a prescriber for a given month identifier (YYYY-mm),

itou/www/apply/views/process_views.py

@@ -6,7 +6,7 @@
 import sentry_sdk
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth.decorators import login_required, user_passes_test
+from django.contrib.auth.decorators import login_required
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
@@ -30,6 +30,7 @@
 from itou.rdv_insertion.api import get_api_credentials, get_invitation_status
 from itou.rdv_insertion.models import Invitation, InvitationRequest, Participation
 from itou.users.enums import Title
+from itou.utils.auth import check_user
 from itou.utils.urls import get_safe_url
 from itou.www.apply.forms import (
     AcceptForm,
@@ -273,11 +274,7 @@ def details_for_company(request, job_application_id, template_name="apply/proces
 
 
 @login_required
-@user_passes_test(
-    lambda u: u.is_prescriber or u.is_employer,
-    login_url=reverse_lazy("search:employers_home"),
-    redirect_field_name=None,
-)
+@check_user(lambda u: u.is_prescriber or u.is_employer)
 def details_for_prescriber(request, job_application_id, template_name="apply/process_details.html"):
     """
     Detail of an application for an SIAE with the ability:

itou/www/autocomplete/views.py

@@ -1,16 +1,16 @@
 from datetime import datetime
 
-from django.contrib.auth.decorators import login_required, user_passes_test
+from django.contrib.auth.decorators import login_required
 from django.db.models import F, Q, Value
 from django.db.models.functions import Least, Lower, NullIf, StrIndex
 from django.http import JsonResponse
-from django.urls import reverse_lazy
 from unidecode import unidecode
 
 from itou.asp.models import Commune
 from itou.cities.models import City
 from itou.jobs.models import Appellation
 from itou.users.models import User
+from itou.utils.auth import check_user
 from itou.www.gps.views import is_allowed_to_use_gps_advanced_features
 
 
@@ -124,11 +124,7 @@ def communes_autocomplete(request):
 
 
 @login_required
-@user_passes_test(
-    is_allowed_to_use_gps_advanced_features,
-    login_url=reverse_lazy("dashboard:index"),
-    redirect_field_name=None,
-)
+@check_user(is_allowed_to_use_gps_advanced_features)
 def gps_users_autocomplete(request):
     """
     Returns JSON data compliant with Select2

itou/www/geiq_views/views.py

@@ -3,7 +3,7 @@
 import logging
 
 from django.contrib import messages
-from django.contrib.auth.decorators import login_required, user_passes_test
+from django.contrib.auth.decorators import login_required
 from django.core.exceptions import ImproperlyConfigured
 from django.core.files.storage import default_storage
 from django.db.models import Count, F, OuterRef, Prefetch, Q, Subquery, Sum
@@ -27,6 +27,7 @@
 from itou.institutions.enums import InstitutionKind
 from itou.institutions.models import Institution
 from itou.utils.apis import geiq_label
+from itou.utils.auth import check_user
 from itou.utils.emails import send_email_messages
 from itou.utils.pagination import pager
 from itou.utils.urls import get_safe_url
@@ -65,9 +66,7 @@ def _get_assessments_for_labor_inspector(request):
 
 
 @login_required
-@user_passes_test(
-    lambda user: user.is_active and (user.is_employer or user.is_labor_inspector), redirect_field_name=None
-)
+@check_user(lambda user: user.is_active and (user.is_employer or user.is_labor_inspector))
 def assessment_info(request, assessment_pk):
     if request.user.is_employer:
         return _assessment_info_for_employer(request, assessment_pk)
@@ -133,7 +132,7 @@ def _assessment_info_for_labor_inspector(
 
 
 @login_required
-@user_passes_test(lambda user: user.is_active and user.is_labor_inspector, redirect_field_name=None)
+@check_user(lambda user: user.is_active and user.is_labor_inspector)
 def assessment_review(request, assessment_pk, template_name="geiq/assessment_review.html"):
     assessment = get_object_or_404(_get_assessments_for_labor_inspector(request), pk=assessment_pk)
     back_url = reverse("geiq:assessment_info", kwargs={"assessment_pk": assessment.pk})
@@ -156,9 +155,7 @@ def assessment_review(request, assessment_pk, template_name="geiq/assessment_rev
 
 
 @login_required
-@user_passes_test(
-    lambda user: user.is_active and (user.is_employer or user.is_labor_inspector), redirect_field_name=None
-)
+@check_user(lambda user: user.is_active and (user.is_employer or user.is_labor_inspector))
 def employee_list(request, assessment_pk, info_type):
     try:
         info_type = InfoType(info_type)
@@ -253,7 +250,7 @@ def _lock_assessment_and_sync(assessment):
 
 @login_required
 @require_POST
-@user_passes_test(lambda user: user.is_active and user.is_employer, redirect_field_name=None)
+@check_user(lambda user: user.is_active and user.is_employer)
 def label_sync(request, assessment_pk):
     assessment = get_object_or_404(
         ImplementationAssessment.objects.filter(
@@ -273,9 +270,7 @@ def label_sync(request, assessment_pk):
 
 @login_required
 @require_safe
-@user_passes_test(
-    lambda user: user.is_active and (user.is_employer or user.is_labor_inspector), redirect_field_name=None
-)
+@check_user(lambda user: user.is_active and (user.is_employer or user.is_labor_inspector))
 def employee_details(request, employee_pk):
     if request.user.is_labor_inspector:
         assessments = _get_assessments_for_labor_inspector(request)
@@ -303,7 +298,7 @@ def employee_details(request, employee_pk):
 
 
 @login_required
-@user_passes_test(lambda user: user.is_active and user.is_labor_inspector, redirect_field_name=None)
+@check_user(lambda user: user.is_active and user.is_labor_inspector)
 def geiq_list(request, institution_pk, year=None, template_name="geiq/geiq_list.html"):
     institution = get_object_or_404(
         Institution.objects.filter(
@@ -342,9 +337,7 @@ def geiq_list(request, institution_pk, year=None, template_name="geiq/geiq_list.
 
 @require_safe
 @login_required
-@user_passes_test(
-    lambda user: user.is_active and (user.is_employer or user.is_labor_inspector), redirect_field_name=None
-)
+@check_user(lambda user: user.is_active and (user.is_employer or user.is_labor_inspector))
 def assessment_report(request, assessment_pk):
     if request.user.is_labor_inspector:
         assessments = (

itou/www/gps/views.py

@@ -1,10 +1,11 @@
-from django.contrib.auth.decorators import login_required, user_passes_test
+from django.contrib.auth.decorators import login_required
 from django.db.models import Count
 from django.http import HttpResponseRedirect
 from django.shortcuts import render
-from django.urls import reverse, reverse_lazy
+from django.urls import reverse
 
 from itou.gps.models import FollowUpGroup, FollowUpGroupMembership
+from itou.utils.auth import check_user
 from itou.utils.pagination import pager
 from itou.utils.urls import get_safe_url
 from itou.www.gps.forms import GpsUserSearchForm, MembershipsFiltersForm
@@ -19,11 +20,7 @@ def is_allowed_to_use_gps_advanced_features(user):
 
 
 @login_required
-@user_passes_test(
-    is_allowed_to_use_gps,
-    login_url=reverse_lazy("dashboard:index"),
-    redirect_field_name=None,
-)
+@check_user(is_allowed_to_use_gps)
 def my_groups(request, template_name="gps/my_groups.html"):
     memberships = (
         FollowUpGroupMembership.objects.filter(member=request.user)
@@ -51,11 +48,7 @@ def my_groups(request, template_name="gps/my_groups.html"):
 
 
 @login_required
-@user_passes_test(
-    is_allowed_to_use_gps_advanced_features,
-    login_url=reverse_lazy("dashboard:index"),
-    redirect_field_name=None,
-)
+@check_user(is_allowed_to_use_gps_advanced_features)
 def join_group(request, template_name="gps/join_group.html"):
     form = GpsUserSearchForm(data=request.POST or None)
 
@@ -79,11 +72,7 @@ def join_group(request, template_name="gps/join_group.html"):
 
 
 @login_required
-@user_passes_test(
-    is_allowed_to_use_gps,
-    login_url=reverse_lazy("dashboard:index"),
-    redirect_field_name=None,
-)
+@check_user(is_allowed_to_use_gps)
 def leave_group(request, group_id):
     membership = (
         FollowUpGroupMembership.objects.filter(member=request.user).filter(follow_up_group__id=group_id).first()
@@ -97,11 +86,7 @@ def leave_group(request, group_id):
 
 
 @login_required
-@user_passes_test(
-    is_allowed_to_use_gps,
-    login_url=reverse_lazy("dashboard:index"),
-    redirect_field_name=None,
-)
+@check_user(is_allowed_to_use_gps)
 def toggle_referent(request, group_id):
     membership = (
         FollowUpGroupMembership.objects.filter(member=request.user).filter(follow_up_group__id=group_id).first()

itou/www/itou_staff_views/views.py

@@ -4,11 +4,11 @@
 
 from dateutil.relativedelta import relativedelta
 from django.contrib import messages
-from django.contrib.auth.decorators import login_required, user_passes_test
+from django.contrib.auth.decorators import login_required
 from django.db.models import Q
 from django.http import FileResponse, Http404, HttpResponseRedirect, StreamingHttpResponse
 from django.shortcuts import get_object_or_404, render
-from django.urls import reverse, reverse_lazy
+from django.urls import reverse
 from django.utils import timezone
 from django.utils.html import format_html
 from django.utils.http import content_disposition_header
@@ -19,6 +19,7 @@
 from itou.prescribers.models import PrescriberMembership
 from itou.users.enums import UserKind
 from itou.users.models import User
+from itou.utils.auth import check_user
 from itou.utils.db import or_queries
 from itou.utils.export import generate_excel_sheet
 from itou.www.itou_staff_views import merge_utils
@@ -206,11 +207,7 @@ def content():
 
 
 @login_required
-@user_passes_test(
-    lambda u: u.is_superuser,
-    login_url=reverse_lazy("dashboard:index"),
-    redirect_field_name=None,
-)
+@check_user(lambda u: u.is_superuser)
 def merge_users(request, template_name="itou_staff_views/merge_users.html"):
     form = MergeUserForm(data=request.POST or None)
 
@@ -226,11 +223,7 @@ def merge_users(request, template_name="itou_staff_views/merge_users.html"):
 
 
 @login_required
-@user_passes_test(
-    lambda u: u.is_superuser,
-    login_url=reverse_lazy("dashboard:index"),
-    redirect_field_name=None,
-)
+@check_user(lambda u: u.is_superuser)
 def merge_users_confirm(request, user_1_pk, user_2_pk, template_name="itou_staff_views/merge_users_confirm.html"):
     ALLOWED_USER_KINDS = [UserKind.PRESCRIBER, UserKind.EMPLOYER]
 

tests/gps/test_create_beneficiary.py

@@ -408,7 +408,7 @@ def test_creation_by_user_kind(client, UserFactory, factory_args, expected_acces
     if expected_access:
         assertContains(response, create_beneficiary_url)
     else:
-        assertRedirects(response, reverse("dashboard:index"))
+        assert response.status_code == 403
 
     response = client.get(create_beneficiary_url)
     [job_seeker_session_name] = [k for k in client.session.keys() if k not in KNOWN_SESSION_KEYS]

tests/gps/test_views.py

@@ -3,7 +3,7 @@
 import freezegun
 import pytest
 from django.urls import reverse
-from pytest_django.asserts import assertContains, assertNotContains, assertQuerySetEqual, assertRedirects
+from pytest_django.asserts import assertContains, assertNotContains, assertQuerySetEqual
 
 from itou.gps.models import FollowUpGroup, FollowUpGroupMembership, FranceTravailContact
 from itou.users.models import User
@@ -31,7 +31,7 @@ def test_job_seeker_cannot_use_gps(client):
         ("gps:toggle_referent", {"group_id": group.pk}),
     ]:
         response = client.get(reverse(route, kwargs=kwargs))
-        assertRedirects(response, reverse("dashboard:index"), fetch_redirect_response=False)
+        assert response.status_code == 403
     response = client.get(reverse("users:details", kwargs={"public_id": job_seeker.public_id}))
     assert response.status_code == 403
 
@@ -186,7 +186,7 @@ def test_gps_access(client, factory, access):
     FEATURE_INVITE = "<span>Inviter un partenaire</span>"
     FEATURE_ADD = "<span>Ajouter un bénéficiaire</span>"
     if access is None:
-        assertRedirects(response, reverse("dashboard:index"))
+        assert response.status_code == 403
     elif access == "partial":
         assertContains(response, FEATURE_INVITE)
         assertNotContains(response, FEATURE_ADD)
@@ -196,7 +196,7 @@ def test_gps_access(client, factory, access):
 
     response = client.get(reverse("gps:join_group"))
     if access is None or access == "partial":
-        assertRedirects(response, reverse("dashboard:index"))
+        assert response.status_code == 403
     else:
         assert response.status_code == 200