feat: add logic to prevent edit for some user accounts
mostly for sake of online demo, so a "permanent" demo user can be established
This commit is contained in:
parent
6fd6229a9e
commit
24ddb7b905
|
@ -661,7 +661,9 @@
|
|||
</a>
|
||||
${h.end_form()}
|
||||
% endif
|
||||
% if request.is_root or not request.user.prevent_edit:
|
||||
${h.link_to("Change Password", url('change_password'), class_='navbar-item')}
|
||||
% endif
|
||||
${h.link_to("Logout", url('logout'), class_='navbar-item')}
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
@ -157,6 +157,9 @@ class AuthView(View):
|
|||
if not self.request.user:
|
||||
return self.redirect(self.request.route_url('home'))
|
||||
|
||||
if self.request.user.prevent_edit:
|
||||
raise self.forbidden()
|
||||
|
||||
form = self.make_form(schema=self.change_password_make_schema(),
|
||||
show_button_cancel=False,
|
||||
show_button_reset=True)
|
||||
|
|
|
@ -29,8 +29,8 @@ Most apps should include this module::
|
|||
|
||||
That will in turn include the following modules:
|
||||
|
||||
* :mod:`wuttaweb.views.auth`
|
||||
* :mod:`wuttaweb.views.common`
|
||||
* :mod:`wuttaweb.views.auth`
|
||||
* :mod:`wuttaweb.views.settings`
|
||||
* :mod:`wuttaweb.views.progress`
|
||||
* :mod:`wuttaweb.views.people`
|
||||
|
@ -43,8 +43,8 @@ That will in turn include the following modules:
|
|||
def defaults(config, **kwargs):
|
||||
mod = lambda spec: kwargs.get(spec, spec)
|
||||
|
||||
config.include(mod('wuttaweb.views.auth'))
|
||||
config.include(mod('wuttaweb.views.common'))
|
||||
config.include(mod('wuttaweb.views.auth'))
|
||||
config.include(mod('wuttaweb.views.settings'))
|
||||
config.include(mod('wuttaweb.views.progress'))
|
||||
config.include(mod('wuttaweb.views.people'))
|
||||
|
|
|
@ -95,6 +95,15 @@ class UserView(MasterView):
|
|||
if not user.active:
|
||||
return 'has-background-warning'
|
||||
|
||||
def is_editable(self, user):
|
||||
""" """
|
||||
|
||||
# only root can edit certain users
|
||||
if user.prevent_edit and not self.request.is_root:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
def configure_form(self, f):
|
||||
""" """
|
||||
super().configure_form(f)
|
||||
|
|
|
@ -80,11 +80,18 @@ class TestAuthView(WebTestCase):
|
|||
redirect = view.change_password()
|
||||
self.assertIsInstance(redirect, HTTPFound)
|
||||
|
||||
# now "login" the user, and set initial password
|
||||
self.request.user = barney
|
||||
# set initial password
|
||||
auth.set_user_password(barney, 'foo')
|
||||
self.session.commit()
|
||||
|
||||
# forbidden if prevent_edit is set for user
|
||||
self.request.user = barney
|
||||
barney.prevent_edit = True
|
||||
self.assertRaises(HTTPForbidden, view.change_password)
|
||||
|
||||
# okay let's test with edit allowed
|
||||
barney.prevent_edit = False
|
||||
|
||||
# view should now return context w/ form
|
||||
context = view.change_password()
|
||||
self.assertIn('form', context)
|
||||
|
|
|
@ -42,6 +42,26 @@ class TestUserView(WebTestCase):
|
|||
user.active = False
|
||||
self.assertEqual(view.grid_row_class(user, data, 1), 'has-background-warning')
|
||||
|
||||
def test_is_editable(self):
|
||||
model = self.app.model
|
||||
view = self.make_view()
|
||||
|
||||
# active user is editable
|
||||
user = model.User(username='barney', active=True)
|
||||
self.assertTrue(view.is_editable(user))
|
||||
|
||||
# inactive also editable
|
||||
user = model.User(username='barney', active=False)
|
||||
self.assertTrue(view.is_editable(user))
|
||||
|
||||
# but not if prevent_edit flag is set
|
||||
user = model.User(username='barney', prevent_edit=True)
|
||||
self.assertFalse(view.is_editable(user))
|
||||
|
||||
# unless request user is root
|
||||
self.request.is_root = True
|
||||
self.assertTrue(view.is_editable(user))
|
||||
|
||||
def test_configure_form(self):
|
||||
model = self.app.model
|
||||
barney = model.User(username='barney')
|
||||
|
|
Loading…
Reference in a new issue