diff --git a/tourist/routes.py b/tourist/routes.py index 140fc34..dd46e8b 100644 --- a/tourist/routes.py +++ b/tourist/routes.py @@ -107,7 +107,7 @@ class ClubForm(FlaskForm): @tourist_bp.route("/edit/club/", methods=['GET', 'POST']) def edit_club(club_id): - if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted): + if not flask_login.current_user.edit_granted: return tourist.inaccessible_response() club = tstore.Club.query.get_or_404(club_id) @@ -131,7 +131,7 @@ class PlaceForm(FlaskForm): @tourist_bp.route("/edit/place/", methods=['GET', 'POST']) def edit_place(place_id): - if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted): + if not flask_login.current_user.edit_granted: return tourist.inaccessible_response() place = tstore.Place.query.get_or_404(place_id) @@ -204,7 +204,7 @@ def delete_place_children_and_flash(place: tstore.Place): @tourist_bp.route("/delete/place/", methods=['GET', 'POST']) def delete_place(place_id): - if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted): + if not flask_login.current_user.edit_granted: return tourist.inaccessible_response() place = tstore.Place.query.get_or_404(place_id) @@ -222,7 +222,7 @@ def delete_place(place_id): @tourist_bp.route("/delete/club/", methods=['GET', 'POST']) def delete_club(club_id): - if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted): + if not flask_login.current_user.edit_granted: return tourist.inaccessible_response() club = tstore.Club.query.get_or_404(club_id) @@ -240,7 +240,7 @@ def delete_club(club_id): @tourist_bp.route("/delete/pool/", methods=['GET', 'POST']) def delete_pool(pool_id): - if not (flask_login.current_user.is_authenticated and flask_login.current_user.edit_granted): + if not flask_login.current_user.edit_granted: return tourist.inaccessible_response() pool = tstore.Pool.query.get_or_404(pool_id) @@ -324,5 +324,8 @@ def log_view_func(): @tourist_bp.route("/comments") def comments_view_func(): + if not flask_login.current_user.can_view_comments: + return tourist.inaccessible_response() + comments = list(tstore.PlaceComment.query.order_by(tstore.PlaceComment.timestamp).all()) return render_template("comments.html", comments=comments) diff --git a/tourist/tests/test_login.py b/tourist/tests/test_login.py index 2ec44a7..f3b0f2d 100644 --- a/tourist/tests/test_login.py +++ b/tourist/tests/test_login.py @@ -26,6 +26,9 @@ def test_heavy(test_app): response = c.get('/admin/place/edit/?id=3') assert response.status_code == 302 # Without login + response = c.get('/tourist/comments') + assert response.status_code == 302 # Without login, redirects + # Login. This user isn't authorized to /admin with test_app.test_client(user=user_plain) as c: response = c.get('/tourist/') @@ -48,6 +51,8 @@ def test_heavy(test_app): response = c.get('/admin/comment/') assert response.status_code == 403 + response = c.get('/tourist/comments') + assert response.status_code == 403 with test_app.app_context(): new_au = tstore.Place.query.filter_by(short_name='au').first() @@ -76,6 +81,9 @@ def test_heavy(test_app): assert response.status_code == 200 assert b'Sign out' in response.data + response = c.get('/tourist/comments') + assert response.status_code == 200 + with test_app.app_context(): new_au = tstore.Place.query.filter_by(short_name='au').one() assert new_au.name == 'Australia Changed'