don't let viewers POST past @dev_required (bug 611526)

2010-11-12 20:18:33 -08:00 · 2010-11-12 20:18:33 -08:00 · 97b1f108c5
--- a/apps/access/acl.py
+++ b/apps/access/acl.py
@ -57,7 +57,7 @@ def check_addon_ownership(request, addon, require_owner=False):
    """Check if request.user has owner permissions for the add-on."""
    if not request.user.is_authenticated():
        return False
-    if not require_owner and action_allowed(request, 'Admin', 'EditAnyAddon'):
+    if action_allowed(request, 'Admin', 'EditAnyAddon'):
        return True

    roles = (amo.AUTHOR_ROLE_OWNER, amo.AUTHOR_ROLE_DEV)
--- a/apps/devhub/tests/test_views.py
+++ b/apps/devhub/tests/test_views.py
@ -362,6 +362,41 @@ def formset(*args, **kw):
    return data


+class TestDevRequired(test_utils.TestCase):
+    fixtures = ['base/apps', 'base/users', 'base/addon_3615']
+
+    def setUp(self):
+        self.get_url = reverse('devhub.addons.payments', args=[3615])
+        self.post_url = reverse('devhub.addons.payments.disable', args=[3615])
+        assert self.client.login(username='del@icio.us', password='password')
+        self.addon = Addon.objects.get(id=3615)
+        self.au = AddonUser.objects.get(user__email='del@icio.us',
+                                        addon=self.addon)
+        eq_(self.au.role, amo.AUTHOR_ROLE_OWNER)
+
+    def test_anon(self):
+        self.client.logout()
+        r = self.client.get(self.get_url, follow=True)
+        login = reverse('users.login')
+        self.assertRedirects(r, '%s?to=%s' % (login, self.get_url))
+
+    def test_dev_get(self):
+        eq_(self.client.get(self.get_url).status_code, 200)
+
+    def test_dev_post(self):
+        self.assertRedirects(self.client.post(self.post_url), self.get_url)
+
+    def test_viewer_get(self):
+        self.au.role = amo.AUTHOR_ROLE_VIEWER
+        self.au.save()
+        eq_(self.client.get(self.get_url).status_code, 200)
+
+    def test_viewer_post(self):
+        self.au.role = amo.AUTHOR_ROLE_VIEWER
+        self.au.save()
+        eq_(self.client.post(self.get_url).status_code, 403)
+
+
 class TestOwnership(test_utils.TestCase):
    fixtures = ['base/apps', 'base/users', 'base/addon_3615']

--- a/apps/devhub/views.py
+++ b/apps/devhub/views.py
@ -46,11 +46,13 @@ def dev_required(f):
    @functools.wraps(f)
    def wrapper(request, addon_id, *args, **kw):
        addon = get_object_or_404(Addon, id=addon_id)
-        if acl.check_addon_ownership(request, addon,
-                                     require_owner=False):
+        # Require an owner for POST requests.
+        if request.method == 'POST':
+            if acl.check_ownership(request, addon, require_owner=True):
+                return f(request, addon_id, addon, *args, **kw)
+        elif acl.check_ownership(request, addon, require_owner=False):
            return f(request, addon_id, addon, *args, **kw)
-        else:
-            return http.HttpResponseForbidden()
+        return http.HttpResponseForbidden()
    return wrapper