www.apply: restrict views to their expected user kinds

gip-inclusion · Jan 23, 2025 · a4698d7 · a4698d7
1 parent a044440
commit a4698d7
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 2 deletions.
diff --git a/itou/www/apply/views/process_views.py b/itou/www/apply/views/process_views.py
@@ -7,7 +7,7 @@
 import sentry_sdk
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import Count, Exists, F, OuterRef, Q
@@ -573,9 +573,12 @@ def accept(request, job_application_id, template_name="apply/process_accept.html
     )
 
 
-class AcceptHTMXFragmentView(TemplateView):
+class AcceptHTMXFragmentView(UserPassesTestMixin, TemplateView):
     NO_ERROR_FIELDS = []
 
+    def test_func(self):
+        return self.request.user.is_employer
+
     def setup(self, request, company_pk=None, *args, **kwargs):
         super().setup(request, *args, **kwargs)
 

diff --git a/itou/www/apply/views/submit_views.py b/itou/www/apply/views/submit_views.py
@@ -20,6 +20,7 @@
 from itou.job_applications.models import JobApplication
 from itou.users.enums import UserKind
 from itou.users.models import User
+from itou.utils.auth import check_user
 from itou.utils.session import SessionNamespace
 from itou.utils.urls import add_url_params
 from itou.www.apply.forms import ApplicationJobsForm, SubmitJobApplicationForm
@@ -775,6 +776,7 @@ def get_context_data(self, **kwargs):
         }
 
 
+@check_user(lambda user: user.is_employer)
 def eligibility_for_hire(
     request,
     company_pk,
@@ -811,6 +813,7 @@ def eligibility_for_hire(
     )
 
 
+@check_user(lambda user: user.is_employer)
 def geiq_eligibility_for_hire(
     request,
     company_pk,
@@ -847,6 +850,7 @@ def geiq_eligibility_for_hire(
     )
 
 
+@check_user(lambda user: user.is_employer)
 def geiq_eligibility_criteria_for_hire(request, company_pk, job_seeker_public_id):
     company = get_object_or_404(
         Company.objects.filter(pk__in={org.pk for org in request.organizations}, kind=CompanyKind.GEIQ), pk=company_pk
@@ -859,6 +863,7 @@ def geiq_eligibility_criteria_for_hire(request, company_pk, job_seeker_public_id
     )
 
 
+@check_user(lambda user: user.is_employer)
 def hire_confirmation(
     request,
     company_pk,

diff --git a/itou/www/approvals_views/views.py b/itou/www/approvals_views/views.py
@@ -32,6 +32,7 @@
 from itou.files.models import File
 from itou.job_applications.enums import JobApplicationState
 from itou.utils import constants as global_constants
+from itou.utils.auth import check_user
 from itou.utils.pagination import ItouPaginator, pager
 from itou.utils.perms.company import get_current_company_or_404
 from itou.utils.perms.prescriber import get_current_org_or_404
@@ -487,6 +488,7 @@ def prolongation_requests_list(request, template_name="approvals/prolongation_re
 
 
 @require_safe
+@check_user(lambda user: user.is_prescriber)
 def prolongation_request_report_file(request, prolongation_request_id):
     prolongation_request = get_object_or_404(
         ProlongationRequest,

diff --git a/tests/www/apply/__snapshots__/test_submit.ambr b/tests/www/apply/__snapshots__/test_submit.ambr
@@ -173,6 +173,7 @@
       dict({
         'origin': list([
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "companies_company"."id",
@@ -220,6 +221,7 @@
       dict({
         'origin': list([
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "users_user"."id",
@@ -307,6 +309,7 @@
           'User.new_approval_blocked_by_waiting_period[users/models.py]',
           '_check_job_seeker_approval[www/apply/views/submit_views.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "approvals_approval"."id",
@@ -342,6 +345,7 @@
           'User.new_approval_blocked_by_waiting_period[users/models.py]',
           '_check_job_seeker_approval[www/apply/views/submit_views.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "eligibility_eligibilitydiagnosis"."id",
@@ -479,6 +483,7 @@
           'User.new_approval_blocked_by_waiting_period[users/models.py]',
           '_check_job_seeker_approval[www/apply/views/submit_views.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "approvals_poleemploiapproval"."id",
@@ -518,6 +523,7 @@
           'EligibilityDiagnosisQuerySet.first[<site-packages>/django/db/models/query.py]',
           'EligibilityDiagnosisManagerFromEligibilityDiagnosisQuerySet.last_considered_valid[eligibility/models/iae.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "eligibility_eligibilitydiagnosis"."id",
@@ -651,6 +657,7 @@
           'EligibilityDiagnosisQuerySet.first[<site-packages>/django/db/models/query.py]',
           'EligibilityDiagnosisManagerFromEligibilityDiagnosisQuerySet.last_considered_valid[eligibility/models/iae.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "eligibility_selectedadministrativecriteria"."id",
@@ -672,6 +679,7 @@
           'EligibilityDiagnosisManagerFromEligibilityDiagnosisQuerySet.last_considered_valid[eligibility/models/iae.py]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "eligibility_eligibilitydiagnosis"."id",
@@ -807,6 +815,7 @@
           'JobSeekerPersonalDataForm.__init__[common_apps/nir/forms.py]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "asp_commune"."id",
@@ -828,6 +837,7 @@
           'JobSeekerPersonalDataForm.__init__[common_apps/nir/forms.py]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "asp_country"."id",
@@ -845,6 +855,7 @@
           'AcceptForm.__init__[www/apply/forms.py]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "companies_jobdescription"."id",
@@ -904,6 +915,7 @@
           'ExtendsNode[apply/submit/hire_confirmation.html]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT %s AS "a"
@@ -934,6 +946,7 @@
           'ExtendsNode[apply/submit/hire_confirmation.html]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "eligibility_selectedadministrativecriteria"."id",
@@ -964,6 +977,7 @@
           'ExtendsNode[apply/submit/hire_confirmation.html]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "asp_commune"."id",
@@ -991,6 +1005,7 @@
           'ExtendsNode[apply/submit/hire_confirmation.html]',
           '_accept[www/apply/views/common.py]',
           'hire_confirmation[www/apply/views/submit_views.py]',
+          '_check_user_view_wrapper[utils/auth.py]',
         ]),
         'sql': '''
           SELECT "asp_country"."id",