From a4698d78085e3d0cef781f5ab3b5a4a60c3ecebc Mon Sep 17 00:00:00 2001 From: Xavier Fernandez Date: Thu, 23 Jan 2025 16:33:40 +0100 Subject: [PATCH] www.apply: restrict views to their expected user kinds --- itou/www/apply/views/process_views.py | 7 +++++-- itou/www/apply/views/submit_views.py | 5 +++++ itou/www/approvals_views/views.py | 2 ++ tests/www/apply/__snapshots__/test_submit.ambr | 15 +++++++++++++++ 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/itou/www/apply/views/process_views.py b/itou/www/apply/views/process_views.py index 6ce429a743..d2b235b586 100644 --- a/itou/www/apply/views/process_views.py +++ b/itou/www/apply/views/process_views.py @@ -7,7 +7,7 @@ import sentry_sdk from django.conf import settings from django.contrib import messages -from django.contrib.auth.mixins import LoginRequiredMixin +from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin from django.core.exceptions import PermissionDenied from django.db import transaction from django.db.models import Count, Exists, F, OuterRef, Q @@ -573,9 +573,12 @@ def accept(request, job_application_id, template_name="apply/process_accept.html ) -class AcceptHTMXFragmentView(TemplateView): +class AcceptHTMXFragmentView(UserPassesTestMixin, TemplateView): NO_ERROR_FIELDS = [] + def test_func(self): + return self.request.user.is_employer + def setup(self, request, company_pk=None, *args, **kwargs): super().setup(request, *args, **kwargs) diff --git a/itou/www/apply/views/submit_views.py b/itou/www/apply/views/submit_views.py index 7d7e3596ef..57fb6be7b8 100644 --- a/itou/www/apply/views/submit_views.py +++ b/itou/www/apply/views/submit_views.py @@ -20,6 +20,7 @@ from itou.job_applications.models import JobApplication from itou.users.enums import UserKind from itou.users.models import User +from itou.utils.auth import check_user from itou.utils.session import SessionNamespace from itou.utils.urls import add_url_params from itou.www.apply.forms import ApplicationJobsForm, SubmitJobApplicationForm @@ -775,6 +776,7 @@ def get_context_data(self, **kwargs): } +@check_user(lambda user: user.is_employer) def eligibility_for_hire( request, company_pk, @@ -811,6 +813,7 @@ def eligibility_for_hire( ) +@check_user(lambda user: user.is_employer) def geiq_eligibility_for_hire( request, company_pk, @@ -847,6 +850,7 @@ def geiq_eligibility_for_hire( ) +@check_user(lambda user: user.is_employer) def geiq_eligibility_criteria_for_hire(request, company_pk, job_seeker_public_id): company = get_object_or_404( Company.objects.filter(pk__in={org.pk for org in request.organizations}, kind=CompanyKind.GEIQ), pk=company_pk @@ -859,6 +863,7 @@ def geiq_eligibility_criteria_for_hire(request, company_pk, job_seeker_public_id ) +@check_user(lambda user: user.is_employer) def hire_confirmation( request, company_pk, diff --git a/itou/www/approvals_views/views.py b/itou/www/approvals_views/views.py index 05b08209e0..79b2279022 100644 --- a/itou/www/approvals_views/views.py +++ b/itou/www/approvals_views/views.py @@ -32,6 +32,7 @@ from itou.files.models import File from itou.job_applications.enums import JobApplicationState from itou.utils import constants as global_constants +from itou.utils.auth import check_user from itou.utils.pagination import ItouPaginator, pager from itou.utils.perms.company import get_current_company_or_404 from itou.utils.perms.prescriber import get_current_org_or_404 @@ -487,6 +488,7 @@ def prolongation_requests_list(request, template_name="approvals/prolongation_re @require_safe +@check_user(lambda user: user.is_prescriber) def prolongation_request_report_file(request, prolongation_request_id): prolongation_request = get_object_or_404( ProlongationRequest, diff --git a/tests/www/apply/__snapshots__/test_submit.ambr b/tests/www/apply/__snapshots__/test_submit.ambr index 3e18f85982..e1d9e7b9d4 100644 --- a/tests/www/apply/__snapshots__/test_submit.ambr +++ b/tests/www/apply/__snapshots__/test_submit.ambr @@ -173,6 +173,7 @@ dict({ 'origin': list([ 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "companies_company"."id", @@ -220,6 +221,7 @@ dict({ 'origin': list([ 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "users_user"."id", @@ -307,6 +309,7 @@ 'User.new_approval_blocked_by_waiting_period[users/models.py]', '_check_job_seeker_approval[www/apply/views/submit_views.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "approvals_approval"."id", @@ -342,6 +345,7 @@ 'User.new_approval_blocked_by_waiting_period[users/models.py]', '_check_job_seeker_approval[www/apply/views/submit_views.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "eligibility_eligibilitydiagnosis"."id", @@ -479,6 +483,7 @@ 'User.new_approval_blocked_by_waiting_period[users/models.py]', '_check_job_seeker_approval[www/apply/views/submit_views.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "approvals_poleemploiapproval"."id", @@ -518,6 +523,7 @@ 'EligibilityDiagnosisQuerySet.first[/django/db/models/query.py]', 'EligibilityDiagnosisManagerFromEligibilityDiagnosisQuerySet.last_considered_valid[eligibility/models/iae.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "eligibility_eligibilitydiagnosis"."id", @@ -651,6 +657,7 @@ 'EligibilityDiagnosisQuerySet.first[/django/db/models/query.py]', 'EligibilityDiagnosisManagerFromEligibilityDiagnosisQuerySet.last_considered_valid[eligibility/models/iae.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "eligibility_selectedadministrativecriteria"."id", @@ -672,6 +679,7 @@ 'EligibilityDiagnosisManagerFromEligibilityDiagnosisQuerySet.last_considered_valid[eligibility/models/iae.py]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "eligibility_eligibilitydiagnosis"."id", @@ -807,6 +815,7 @@ 'JobSeekerPersonalDataForm.__init__[common_apps/nir/forms.py]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "asp_commune"."id", @@ -828,6 +837,7 @@ 'JobSeekerPersonalDataForm.__init__[common_apps/nir/forms.py]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "asp_country"."id", @@ -845,6 +855,7 @@ 'AcceptForm.__init__[www/apply/forms.py]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "companies_jobdescription"."id", @@ -904,6 +915,7 @@ 'ExtendsNode[apply/submit/hire_confirmation.html]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT %s AS "a" @@ -934,6 +946,7 @@ 'ExtendsNode[apply/submit/hire_confirmation.html]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "eligibility_selectedadministrativecriteria"."id", @@ -964,6 +977,7 @@ 'ExtendsNode[apply/submit/hire_confirmation.html]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "asp_commune"."id", @@ -991,6 +1005,7 @@ 'ExtendsNode[apply/submit/hire_confirmation.html]', '_accept[www/apply/views/common.py]', 'hire_confirmation[www/apply/views/submit_views.py]', + '_check_user_view_wrapper[utils/auth.py]', ]), 'sql': ''' SELECT "asp_country"."id",