Only staff users can view member list

interna/front/mixins.py

@@ -0,0 +1,9 @@
+from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+
+
+class StaffRequiredMixin(UserPassesTestMixin, LoginRequiredMixin):
+    """
+    Require login as staff.
+    """
+    def test_func(self):
+        return self.request.user.is_staff

interna/front/templates/front/base.html

@@ -36,7 +36,7 @@
                 <div class="navbar-collapse collapse">
                     <ul class="nav navbar-nav">
                         <li class="{% ifactivetab 'navigation' 'home' %}active{% endifactivetab %}"><a href="{% url 'front:home' %}">Home</a></li>
-                        <li class="{% ifactivetab 'navigation' 'members' %}active{% endifactivetab %}"><a href="{% url 'front:members' %}">Mitglieder</a></li>
+                        {% if user.is_staff %}<li class="{% ifactivetab 'navigation' 'members' %}active{% endifactivetab %}"><a href="{% url 'front:members' %}">Mitglieder</a></li>{% endif %}
                         <li class="{% ifactivetab 'navigation' 'inventory' %}active{% endifactivetab %}"><a href="{% url 'inventory:index' %}">Inventar</a></li>
                         <li class="{% ifactivetab 'navigation' 'crowdfund' %}active{% endifactivetab %}"><a href="{% url 'crowdfund:index' %}">Crowdfund</a></li>
                         <li class="{% ifactivetab 'navigation' 'wishlist' %}active{% endifactivetab %}"><a href="{% url 'front:wishlist' %}">Wishlist</a></li>

interna/front/templates/front/members.html

@@ -17,18 +17,14 @@
 {% block content %}
     <h1>Mitglieder</h1>
 
-    <p>Unsere aktuellen Mitglieder. {% if user.is_staff %}Um Einträge zu ändern
-    oder neue Mitglieder hinzuzufügen, benutze das
-    <a href="{% url 'admin:index' %}">Admin Interface</a>.{% endif %}</p>
-
+    <p>Unsere aktuellen Mitglieder. Um Einträge zu ändern oder neue Mitglieder hinzuzufügen, benutze das
+    <a href="{% url 'admin:index' %}">Admin Interface</a>.</p>
 
     <div class="clearfix">
         <h3 class="display-inline-block">Aktivmitglieder ({{ active_memberships|length }})</h3>
-        {% if user.is_staff %}
-            <div class="staff-actions pull-right">
-                <a href="{% url 'front:member_emails' %}"><span class="glyphicon glyphicon-envelope" aria-hidden="true"></span> E-Mail-Liste</a>
-            </div>
-        {% endif %}
+        <div class="staff-actions pull-right">
+            <a href="{% url 'front:member_emails' %}"><span class="glyphicon glyphicon-envelope" aria-hidden="true"></span> E-Mail-Liste</a>
+        </div>
     </div>
 
     <table class="table table-striped table-hover">
@@ -64,9 +60,6 @@ <h3 class="display-inline-block">Aktivmitglieder ({{ active_memberships|length }
         </tbody>
     </table>
 
-
-    {% if user.is_staff %}
-
     <h3>Ehemalige Mitglieder ({{ expired_members|length }})</h3>
 
     <table class="table table-striped table-hover">
@@ -88,6 +81,4 @@ <h3>Ehemalige Mitglieder ({{ expired_members|length }})</h3>
         </tbody>
     </table>
 
-    {% endif %}
-
 {% endblock %}

interna/front/views.py

@@ -1,10 +1,10 @@
 from django.contrib import messages
 from django.contrib.auth import logout
-from django.contrib.auth.mixins import LoginRequiredMixin
 from django.shortcuts import redirect
 from django.views.generic.base import View, TemplateView
 
 from memberdb import models
+from .mixins import StaffRequiredMixin
 
 
 class HomeView(TemplateView):
@@ -20,7 +20,7 @@ def get(self, request, *args, **kwargs):
         return redirect('front:home')
 
 
-class MembersView(LoginRequiredMixin, TemplateView):
+class MembersView(StaffRequiredMixin, TemplateView):
     """List members."""
     template_name = 'front/members.html'
 
@@ -35,7 +35,7 @@ def get_context_data(self, **kwargs):
         return context
 
 
-class MemberEmailsView(LoginRequiredMixin, TemplateView):
+class MemberEmailsView(StaffRequiredMixin, TemplateView):
     """List email addresses of all active members."""
     template_name = 'front/member_emails.html'
 

interna/memberdb/tests/test_views.py

@@ -1,15 +1,15 @@
 from datetime import date
 
 from django.contrib.auth.models import User
+import django.test
 from pytest import mark
 from model_bakery import baker
 from rest_framework.test import APIRequestFactory, force_authenticate
 
 from .. import models, views
 
 
-class TestMembershipView:
-
+class TestApiMembershipView:
     @mark.django_db
     def test_active_members(self):
         # Test data: Create 3 members, 2 of them active
@@ -57,7 +57,6 @@ def test_auth_required(self):
     @mark.django_db
     @mark.parametrize('staff', [True, False])
     def test_admin_required(self, staff: bool):
-        print(staff)
         user = baker.make(User, is_staff=staff)
 
         factory = APIRequestFactory()
@@ -71,3 +70,39 @@ def test_admin_required(self, staff: bool):
         else:
             assert response.status_code == 403
             assert response.data['detail'].code == 'permission_denied'
+
+
+class TestMembersView:
+    @mark.django_db
+    @mark.parametrize('staff', [True, False])
+    def test_admin_required(self, client: django.test.Client, staff: bool):
+        # Auth
+        user = baker.make(User, is_staff=staff)
+        client.force_login(user)
+
+        # Request
+        response = client.get('/members/')
+
+        # Verify
+        if staff:
+            assert response.status_code == 200
+            assert b'Aktivmitglieder' in response.content
+        else:
+            assert response.status_code == 403
+            assert b'Aktivmitglieder' not in response.content
+
+    @mark.django_db
+    @mark.parametrize('staff', [True, False])
+    def test_emails_admin_required(self, client: django.test.Client, staff: bool):
+        # Auth
+        user = baker.make(User, is_staff=staff)
+        client.force_login(user)
+
+        # Request
+        response = client.get('/members/emails/')
+
+        # Verify
+        if staff:
+            assert response.status_code == 200
+        else:
+            assert response.status_code == 403