Better test for protected views

2019-08-09 13:16:30 +00:00 · 2019-08-09 13:16:30 +00:00 · b67f7bee04
--- a/apps/moz_desktop/views.py
+++ b/apps/moz_desktop/views.py
@ -31,11 +31,20 @@ def user_has_claim(func):
        # a redundant check for added security
        groups_header = request.META.get(settings.GROUPS_META_VAR, '')
        groups = groups_header.split('|') if groups_header else []
+        found_allow_admin = False
        try:
            allow_admin = os.environ["ALLOW_ADMIN"]
+            found_allow_admin = True
        except KeyError:
            allow_admin = False
-        if not allow_admin:
+
+        if not found_allow_admin:
+            try:
+                allow_admin = settings.ALLOW_ADMIN
+            except AttributeError:
+                allow_admin = False
+        
+        if not allow_admin or allow_admin == "False" or allow_admin == False:
            raise PermissionDenied
        if (hasattr(request, 'user') and request.user.is_authenticated and settings.OIDC_DESKTOP_CLAIM_GROUP is None):
            return func(request, *args, **kwargs)
--- a/apps/site/test_login.py
+++ b/apps/site/test_login.py
@ -98,7 +98,10 @@ class URLsTestALLOW_ADMIN_TRUE(TestCase):

 class URLsTestALLOW_ADMIN_FALSE(TestCase):

-    fixtures = ['users']
+    fixtures = [
+        'users',
+        'encrypteddisk',
+    ]

    def setUp(self):
        self.client = Client()
@ -109,3 +112,11 @@ class URLsTestALLOW_ADMIN_FALSE(TestCase):
        for key,value in namespaces_to_test.items():
            response = self.client.get(reverse(key, kwargs=value))
            self.assertEqual(response.status_code, 403)
+
+    @mock.patch.dict(os.environ, {'ALLOW_ADMIN': 'False'})
+    def test2_cannot_see_protected_urls_with_settings_override(self):
+        with self.settings(ALLOW_ADMIN=True):
+            self.client.login(username='test_normal_user', password='password')
+            for key,value in namespaces_to_test.items():
+                response = self.client.get(reverse(key, kwargs=value))
+                self.assertEqual(response.status_code, 403)
--- a/settings.py-dist
+++ b/settings.py-dist
@ -137,6 +137,7 @@ TEMPLATES = [
 ]

 MIDDLEWARE = [
+    'reversion.middleware.RevisionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',