fix comments authz (#83)

I wasn't checking for `can_view_comments` in `routes.py` - check current_user.can_view_comments before showing comments - rm redundant is_authenticated checks
TomGoBravo · Aug 12, 2023 · 927c2b7 · 927c2b7
1 parent 9a93707
commit 927c2b7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/tourist/routes.py b/tourist/routes.py
@@ -107,7 +107,7 @@ class ClubForm(FlaskForm):
 
 @tourist_bp.route("/edit/club/<int:club_id>", methods=['GET', 'POST'])
 def edit_club(club_id):
-    if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted):
+    if not flask_login.current_user.edit_granted:
         return tourist.inaccessible_response()
 
     club = tstore.Club.query.get_or_404(club_id)
@@ -131,7 +131,7 @@ class PlaceForm(FlaskForm):
 
 @tourist_bp.route("/edit/place/<int:place_id>", methods=['GET', 'POST'])
 def edit_place(place_id):
-    if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted):
+    if not flask_login.current_user.edit_granted:
         return tourist.inaccessible_response()
 
     place = tstore.Place.query.get_or_404(place_id)
@@ -204,7 +204,7 @@ def delete_place_children_and_flash(place: tstore.Place):
 
 @tourist_bp.route("/delete/place/<int:place_id>", methods=['GET', 'POST'])
 def delete_place(place_id):
-    if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted):
+    if not flask_login.current_user.edit_granted:
         return tourist.inaccessible_response()
 
     place = tstore.Place.query.get_or_404(place_id)
@@ -222,7 +222,7 @@ def delete_place(place_id):
 
 @tourist_bp.route("/delete/club/<int:club_id>", methods=['GET', 'POST'])
 def delete_club(club_id):
-    if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted):
+    if not flask_login.current_user.edit_granted:
         return tourist.inaccessible_response()
 
     club = tstore.Club.query.get_or_404(club_id)
@@ -240,7 +240,7 @@ def delete_club(club_id):
 
 @tourist_bp.route("/delete/pool/<int:pool_id>", methods=['GET', 'POST'])
 def delete_pool(pool_id):
-    if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted):
+    if not flask_login.current_user.edit_granted:
         return tourist.inaccessible_response()
 
     pool = tstore.Pool.query.get_or_404(pool_id)
@@ -324,5 +324,8 @@ def log_view_func():
 
 @tourist_bp.route("/comments")
 def comments_view_func():
+    if not flask_login.current_user.can_view_comments:
+        return tourist.inaccessible_response()
+
     comments = list(tstore.PlaceComment.query.order_by(tstore.PlaceComment.timestamp).all())
     return render_template("comments.html", comments=comments)
diff --git a/tourist/tests/test_login.py b/tourist/tests/test_login.py
@@ -26,6 +26,9 @@ def test_heavy(test_app):
         response = c.get('/admin/place/edit/?id=3')
         assert response.status_code == 302  # Without login
 
+        response = c.get('/tourist/comments')
+        assert response.status_code == 302  # Without login, redirects
+
     # Login. This user isn't authorized to /admin
     with test_app.test_client(user=user_plain) as c:
         response = c.get('/tourist/')
@@ -48,6 +51,8 @@ def test_heavy(test_app):
         response = c.get('/admin/comment/')
         assert response.status_code == 403
 
+        response = c.get('/tourist/comments')
+        assert response.status_code == 403
 
     with test_app.app_context():
         new_au = tstore.Place.query.filter_by(short_name='au').first()
@@ -76,6 +81,9 @@ def test_heavy(test_app):
         assert response.status_code == 200
         assert b'Sign out' in response.data
 
+        response = c.get('/tourist/comments')
+        assert response.status_code == 200
+
     with test_app.app_context():
         new_au = tstore.Place.query.filter_by(short_name='au').one()
         assert new_au.name == 'Australia Changed'