archive/healthchecks_healthchecks
0
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2025-04-03 04:15:29 +00:00
Code Issues Projects Releases Wiki Activity

Read-only users cannot edit or remove channels.

Browse source
This commit is contained in:
Pēteris Caune 2020-08-26 14:48:31 +03:00
parent 24c34430ac
commit 39198c827a
No known key found for this signature in database
GPG key ID: E28D7679E9A9EDE2
9 changed files with 92 additions and 30 deletions

13
hc/front/tests/test_channels.py
View file

@ -108,3 +108,16 @@ class ChannelsTestCase(BaseTestCase):
self.client.login(username="alice@example.org", password="password")
r = self.client.get(self.channels_url)
self.assertContains(r, "broken-channels", status_code=200)
def test_it_hides_actions_from_readonly_users(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
Channel.objects.create(project=self.project, kind="webhook", value="{}")
self.client.login(username="bob@example.org", password="password")
r = self.client.get(self.channels_url)
self.assertNotContains(r, "Add Integration", status_code=200)
self.assertNotContains(r, "icon-delete")
self.assertNotContains(r, "edit_webhook")

8
hc/front/tests/test_edit_webhook.py
View file

@ -82,3 +82,11 @@ class EditWebhookTestCase(BaseTestCase):
self.client.login(username="alice@example.org", password="password")
r = self.client.get(self.url)
self.assertEqual(r.status_code, 400)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.url, {})
self.assertEqual(r.status_code, 403)

25
hc/front/tests/test_remove_channel.py
View file

@ -9,20 +9,18 @@ class RemoveChannelTestCase(BaseTestCase):
self.channel.value = "alice@example.org"
self.channel.save()
def test_it_works(self):
url = "/integrations/%s/remove/" % self.channel.code
self.url = "/integrations/%s/remove/" % self.channel.code
def test_it_works(self):
self.client.login(username="alice@example.org", password="password")
r = self.client.post(url)
r = self.client.post(self.url)
self.assertRedirects(r, self.channels_url)
assert Channel.objects.count() == 0
def test_team_access_works(self):
url = "/integrations/%s/remove/" % self.channel.code
self.client.login(username="bob@example.org", password="password")
self.client.post(url)
self.client.post(self.url)
assert Channel.objects.count() == 0
def test_it_handles_bad_uuid(self):
@ -33,10 +31,8 @@ class RemoveChannelTestCase(BaseTestCase):
self.assertEqual(r.status_code, 404)
def test_it_checks_owner(self):
url = "/integrations/%s/remove/" % self.channel.code
self.client.login(username="charlie@example.org", password="password")
r = self.client.post(url)
r = self.client.post(self.url)
self.assertEqual(r.status_code, 404)
def test_it_handles_missing_uuid(self):
@ -48,7 +44,14 @@ class RemoveChannelTestCase(BaseTestCase):
self.assertEqual(r.status_code, 404)
def test_it_rejects_get(self):
url = "/integrations/%s/remove/" % self.channel.code
self.client.login(username="alice@example.org", password="password")
r = self.client.get(url)
r = self.client.get(self.url)
self.assertEqual(r.status_code, 405)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.url)
self.assertEqual(r.status_code, 403)

10
hc/front/tests/test_update_channel.py
View file

@ -70,3 +70,13 @@ class UpdateChannelTestCase(BaseTestCase):
self.client.login(username="alice@example.org", password="password")
r = self.client.post(self.channels_url, data=payload)
self.assertEqual(r.status_code, 400)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
payload = {"channel": self.channel.code}
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.channels_url, data=payload)
self.assertEqual(r.status_code, 403)

10
hc/front/tests/test_update_channel_name.py
View file

@ -51,3 +51,13 @@ class UpdateChannelNameTestCase(BaseTestCase):
self.client.login(username="alice@example.org", password="password")
r = self.client.get(self.url)
self.assertEqual(r.status_code, 405)
def test_it_requires_rw_access(self):
self.bobs_membership.rw = False
self.bobs_membership.save()
payload = {"name": "My work email"}
self.client.login(username="bob@example.org", password="password")
r = self.client.post(self.url, data=payload)
self.assertEqual(r.status_code, 403)

38
hc/front/views.py
View file

@ -110,15 +110,23 @@ def _get_channel_for_user(request, code):
assert request.user.is_authenticated
q = Channel.objects
if not request.user.is_superuser:
project_ids = request.profile.projects().values("id")
q = q.filter(project_id__in=project_ids)
channel = get_object_or_404(Channel.objects.select_related("project"), code=code)
if request.user.is_superuser:
return channel, True
try:
return q.get(code=code)
except Channel.DoesNotExist:
raise Http404("not found")
if request.user.id == channel.project.owner_id:
return channel, True
membership = get_object_or_404(Member, project=channel.project, user=request.user)
return channel, membership.rw
def _get_rw_channel_for_user(request, code):
channel, rw = _get_channel_for_user(request, code)
if not rw:
raise PermissionDenied
return channel
def _get_project_for_user(request, project_code):
@ -693,6 +701,9 @@ def channels(request, code):
project, rw = _get_project_for_user(request, code)
if request.method == "POST":
if not rw:
return HttpResponseForbidden()
code = request.POST["channel"]
try:
channel = Channel.objects.get(code=code)
@ -722,6 +733,7 @@ def channels(request, code):
ctx = {
"page": "channels",
"rw": rw,
"project": project,
"profile": project.owner_profile,
"channels": channels,
@ -746,7 +758,7 @@ def channels(request, code):
@login_required
def channel_checks(request, code):
channel = _get_channel_for_user(request, code)
channel = _get_rw_channel_for_user(request, code)
assigned = set(channel.checks.values_list("code", flat=True).distinct())
checks = Check.objects.filter(project=channel.project).order_by("created")
@ -759,7 +771,7 @@ def channel_checks(request, code):
@require_POST
@login_required
def update_channel_name(request, code):
channel = _get_channel_for_user(request, code)
channel = _get_rw_channel_for_user(request, code)
form = forms.ChannelNameForm(request.POST)
if form.is_valid():
@ -817,7 +829,7 @@ def unsubscribe_email(request, code, signed_token):
@require_POST
@login_required
def send_test_notification(request, code):
channel = _get_channel_for_user(request, code)
channel, rw = _get_channel_for_user(request, code)
dummy = Check(name="TEST", status="down")
dummy.last_ping = timezone.now() - td(days=1)
@ -846,7 +858,7 @@ def send_test_notification(request, code):
@require_POST
@login_required
def remove_channel(request, code):
channel = _get_channel_for_user(request, code)
channel = _get_rw_channel_for_user(request, code)
project = channel.project
channel.delete()
@ -926,7 +938,7 @@ def add_webhook(request, code):
@login_required
def edit_webhook(request, code):
channel = _get_channel_for_user(request, code)
channel = _get_rw_channel_for_user(request, code)
if channel.kind != "webhook":
return HttpResponseBadRequest()

6
static/css/channels.css
View file

@ -54,7 +54,6 @@ table.channels-table > tbody > tr > th {
.edit-name, .edit-checks {
padding: 12px 6px;
border: 1px solid transparent;
cursor: pointer;
}
.edit-name .channel-details-mini {
@ -70,9 +69,10 @@ table.channels-table > tbody > tr > th {
color: #111;
}
.channel-row:hover .edit-name,
.channel-row:hover .edit-checks {
.rw .channel-row:hover .edit-name,
.rw .channel-row:hover .edit-checks {
border: 1px dotted #AAA;
cursor: pointer;
}
.edit-checks {

2
static/js/channels.js
View file

@ -1,6 +1,6 @@
$(function() {
$(".edit-checks").click(function() {
$(".rw .edit-checks").click(function() {
$("#checks-modal").modal("show");
$.ajax(this.dataset.url).done(function(data) {
$("#checks-modal .modal-content").html(data);

10
templates/front/channels.html
View file

@ -16,7 +16,7 @@
<div class="col-sm-12">
{% if channels %}
<table class="table channels-table">
<table class="table channels-table {% if rw %}rw{% endif %}">
<tr>
<th></th>
<th class="th-name">Name, Details</th>
@ -132,7 +132,7 @@
{% endif %}
</td>
<td class="actions">
{% if ch.kind == "webhook" %}
{% if ch.kind == "webhook" and rw %}
<a class="btn btn-sm btn-default" href="{% url 'hc-edit-webhook' ch.code %}">Edit</a>
{% endif %}
<form action="{% url 'hc-channel-test' ch.code %}" method="post">
@ -145,6 +145,7 @@
Test!
</button>
</form>
{% if rw %}
<button
data-kind="{{ ch.get_kind_display }}"
data-url="{% url 'hc-remove-channel' ch.code %}"
@ -152,6 +153,7 @@
type="button">
<span class="icon-delete"></span>
</button>
{% endif %}
</td>
<td>
@ -173,6 +175,7 @@
{% endif %}
{% if rw %}
<h1 class="ai-title">Add More</h1>
<ul class="add-integration">
<li>
@ -431,6 +434,7 @@
</li>
</ul>
{% endif %}
</div>
</div>
@ -472,6 +476,7 @@
</div>
</div>
{% if rw %}
{% for ch in channels %}
<div id="name-{{ ch.code }}" class="modal channel-modal">
<div class="modal-dialog">
@ -566,6 +571,7 @@
</div>
</div>
{% endfor %}
{% endif %}
{% endblock %}