diff --git a/src/postorius/tests/mailman_api_tests/test_domain_delete.py b/src/postorius/tests/mailman_api_tests/test_domain_delete.py index d8ae96e..19e2fe9 100644 --- a/src/postorius/tests/mailman_api_tests/test_domain_delete.py +++ b/src/postorius/tests/mailman_api_tests/test_domain_delete.py @@ -50,17 +50,20 @@ def test_access_basic_user(self): # Basic users can't delete domains self.client.login(username='testuser', password='testpass') - self.assertRedirectsToLogin(self.url) + response = self.client.get(self.url) + self.assertEqual(response.status_code, 403) def test_access_moderators(self): # Moderators can't delete domains self.client.login(username='testmoderator', password='testpass') - self.assertRedirectsToLogin(self.url) + response = self.client.get(self.url) + self.assertEqual(response.status_code, 403) def test_access_owners(self): # Owners can't delete domains self.client.login(username='testowner', password='testpass') - self.assertRedirectsToLogin(self.url) + response = self.client.get(self.url) + self.assertEqual(response.status_code, 403) def test_domain_delete_confirm(self): # The user should be ask to confirm domain deletion on GET requests diff --git a/src/postorius/tests/mailman_api_tests/test_domain_index.py b/src/postorius/tests/mailman_api_tests/test_domain_index.py index 14e8a91..0f41c54 100644 --- a/src/postorius/tests/mailman_api_tests/test_domain_index.py +++ b/src/postorius/tests/mailman_api_tests/test_domain_index.py @@ -50,27 +50,23 @@ self.foo_list.add_moderator('moderator@example.com') def test_domain_index_not_accessible_to_public(self): - # The list index page should contain the lists response = self.client.get(reverse('domain_index')) self.assertEqual(response.status_code, 302) def test_domain_index_not_accessible_to_unpriveleged_user(self): - # The list index page should contain the lists self.client.login(username='testuser', password='testpass') response = self.client.get(reverse('domain_index')) - self.assertEqual(response.status_code, 302) + self.assertEqual(response.status_code, 403) def test_domain_index_not_accessible_to_moderators(self): - # The list index page should contain the lists self.client.login(username='testmoderator', password='testpass') response = self.client.get(reverse('domain_index')) - self.assertEqual(response.status_code, 302) + self.assertEqual(response.status_code, 403) def test_domain_index_not_accessible_to_owners(self): - # The list index page should contain the lists self.client.login(username='testowner', password='testpass') response = self.client.get(reverse('domain_index')) - self.assertEqual(response.status_code, 302) + self.assertEqual(response.status_code, 403) def test_domain_index_contains_the_domains(self): # The list index page should contain the lists diff --git a/src/postorius/tests/mailman_api_tests/test_domain_new.py b/src/postorius/tests/mailman_api_tests/test_domain_new.py index 5cb975e..ea92ae1 100644 --- a/src/postorius/tests/mailman_api_tests/test_domain_new.py +++ b/src/postorius/tests/mailman_api_tests/test_domain_new.py @@ -34,7 +34,8 @@ def test_permission_denied(self): self.client.login(username='user', password='pwd') - self.assertRedirectsToLogin(reverse('domain_new')) + response = self.client.get(reverse('domain_new')) + self.assertEqual(response.status_code, 403) def test_new_domain_created_with_owner(self): self.client.login(username='su', password='pwd') diff --git a/src/postorius/tests/mailman_api_tests/test_list_new.py b/src/postorius/tests/mailman_api_tests/test_list_new.py index 1a4420b..6b558c6 100644 --- a/src/postorius/tests/mailman_api_tests/test_list_new.py +++ b/src/postorius/tests/mailman_api_tests/test_list_new.py @@ -35,7 +35,8 @@ def test_permission_denied(self): self.client.login(username='user', password='pwd') - self.assertRedirectsToLogin(reverse('list_new')) + response = self.client.get(reverse('list_new')) + self.assertEqual(response.status_code, 403) def test_new_list_created_with_owner(self): self.client.login(username='su', password='pwd') diff --git a/src/postorius/views/domain.py b/src/postorius/views/domain.py index 919161c..cd78907 100644 --- a/src/postorius/views/domain.py +++ b/src/postorius/views/domain.py @@ -18,7 +18,7 @@ from django.contrib import messages -from django.contrib.auth.decorators import login_required, user_passes_test +from django.contrib.auth.decorators import login_required from django.shortcuts import render, redirect from django.utils.translation import gettext as _ from django_mailman3.lib.mailman import get_mailman_client @@ -27,12 +27,13 @@ except ImportError: from urllib.error import HTTPError from postorius import utils +from postorius.auth.decorators import superuser_or_403 from postorius.models import Domain, MailmanApiError from postorius.forms import DomainNew @login_required -@user_passes_test(lambda u: u.is_superuser) +@superuser_or_403 def domain_index(request): try: existing_domains = Domain.objects.all() @@ -43,7 +44,7 @@ @login_required -@user_passes_test(lambda u: u.is_superuser) +@superuser_or_403 def domain_new(request): if request.method == 'POST': form = DomainNew(request.POST) @@ -69,7 +70,7 @@ @login_required -@user_passes_test(lambda u: u.is_superuser) +@superuser_or_403 def domain_delete(request, domain): """Deletes a domain but asks for confirmation first. """ diff --git a/src/postorius/views/list.py b/src/postorius/views/list.py index 19309bf..2e890e1 100644 --- a/src/postorius/views/list.py +++ b/src/postorius/views/list.py @@ -23,7 +23,7 @@ from django.http import HttpResponse, HttpResponseNotAllowed, Http404 from django.contrib import messages -from django.contrib.auth.decorators import login_required, user_passes_test +from django.contrib.auth.decorators import login_required from django.core.urlresolvers import reverse from django.core.validators import validate_email from django.forms import formset_factory @@ -47,7 +47,7 @@ ListHeaderMatchForm, ListHeaderMatchFormset, MemberModeration) from postorius.models import Domain, List, MailmanApiError, Mailman404Error from postorius.auth.decorators import ( - list_owner_required, list_moderator_required) + list_owner_required, list_moderator_required, superuser_or_403) from postorius.views.generic import MailingListView @@ -487,7 +487,7 @@ @login_required -@user_passes_test(lambda u: u.is_superuser) +@superuser_or_403 def list_new(request, template='postorius/lists/new.html'): """ Add a new mailing list.