update tokens and userprofile (#24)

tokens/rules.py

@@ -1,7 +1,20 @@
-"""Permissions configured using django-rules."""
+"""Permissions for the tokens app"""
 
 import rules
 
+# Projectroles dependency
+from projectroles import rules as pr_rules  # To access common predicates
 
-# tokens.access -- Access to the tokens app.
-rules.add_perm('tokens.access', rules.is_active)
+
+# View tokens list
+rules.add_perm('tokens.view_list', rules.is_authenticated)
+
+# Create token
+rules.add_perm(
+    'tokens.create', rules.is_authenticated & pr_rules.is_site_writable
+)
+
+# Delete token
+rules.add_perm(
+    'tokens.delete', rules.is_authenticated & pr_rules.is_site_writable
+)

tokens/tests/test_permissions.py

@@ -13,7 +13,7 @@ class TestTokenPermissions(SiteAppPermissionTestBase):
     """Tests for token view permissions"""
 
     def test_get_list(self):
-        """Test tUserTokenListView GET"""
+        """Test UserTokenListView GET"""
         url = reverse('tokens:list')
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, self.anonymous, 302)
@@ -25,6 +25,13 @@ def test_get_list_anon(self):
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, self.anonymous, 302)
 
+    def test_get_list_read_only(self):
+        """Test UserTokenListView GET with site read-only mode"""
+        self.set_site_read_only()
+        url = reverse('tokens:list')
+        self.assert_response(url, [self.superuser, self.regular_user], 200)
+        self.assert_response(url, self.anonymous, 302)
+
     def test_get_create(self):
         """Test UserTokenCreateView GET"""
         url = reverse('tokens:create')
@@ -38,9 +45,23 @@ def test_get_create_anon(self):
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, self.anonymous, 302)
 
+    def test_get_create_read_only(self):
+        """Test UserTokenCreateView GET with site read-only mode"""
+        self.set_site_read_only()
+        url = reverse('tokens:create')
+        self.assert_response(url, self.superuser, 200)
+        self.assert_response(url, [self.regular_user, self.anonymous], 302)
+
     def test_get_delete(self):
         """Test UserTokenDeleteView GET"""
         token = AuthToken.objects.create(self.regular_user, None)
         url = reverse('tokens:delete', kwargs={'pk': token[0].pk})
         self.assert_response(url, self.regular_user, 200)
         self.assert_response(url, self.anonymous, 302)
+
+    def test_get_delete_read_only(self):
+        """Test UserTokenDeleteView GET with site read-only mode"""
+        self.set_site_read_only()
+        token = AuthToken.objects.create(self.regular_user, None)
+        url = reverse('tokens:delete', kwargs={'pk': token[0].pk})
+        self.assert_response(url, [self.regular_user, self.anonymous], 302)

tokens/views.py

@@ -21,7 +21,7 @@
 
 class UserTokenListView(LoginRequiredMixin, LoggedInPermissionMixin, ListView):
     model = AuthToken
-    permission_required = 'tokens.access'
+    permission_required = 'tokens.view_list'
     template_name = 'tokens/token_list.html'
 
     def get_queryset(self):
@@ -33,7 +33,7 @@ class UserTokenCreateView(
     LoginRequiredMixin, LoggedInPermissionMixin, FormView
 ):
     form_class = UserTokenCreateForm
-    permission_required = 'tokens.access'
+    permission_required = 'tokens.create'
     template_name = 'tokens/token_create.html'
 
     def form_valid(self, form):
@@ -48,7 +48,7 @@ class UserTokenDeleteView(
     LoginRequiredMixin, LoggedInPermissionMixin, DeleteView
 ):
     model = AuthToken
-    permission_required = 'tokens.access'
+    permission_required = 'tokens.delete'
     template_name = 'tokens/token_confirm_delete.html'
 
     def get_success_url(self):

userprofile/rules.py

@@ -21,15 +21,25 @@ def can_delete_email(user, obj):
 # Permissions ------------------------------------------------------------
 
 
-# Allow viewing user detail
+# Allow viewing user details
 rules.add_perm('userprofile.view_detail', rules.is_authenticated)
 
+# Allow updating settings
+rules.add_perm(
+    'userprofile.update_settings',
+    rules.is_authenticated & pr_rules.is_site_writable,
+)
+
 # Allow creating additional email
 rules.add_perm(
-    'userprofile.create_email', pr_rules.is_source_site & rules.is_authenticated
+    'userprofile.create_email',
+    pr_rules.is_source_site
+    & rules.is_authenticated
+    & pr_rules.is_site_writable,
 )
 
 # Allow deleting additional email
 rules.add_perm(
-    'userprofile.delete_email', pr_rules.is_source_site & can_delete_email
+    'userprofile.delete_email',
+    pr_rules.is_source_site & can_delete_email & pr_rules.is_site_writable,
 )

userprofile/tests/test_permissions.py

@@ -38,6 +38,13 @@ def test_get_profile_anon(self):
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, self.anonymous, 302)
 
+    def test_get_profile_read_only(self):
+        """Test UserDetailView GET with site read-only mode"""
+        self.set_site_read_only()
+        url = reverse('userprofile:detail')
+        self.assert_response(url, [self.superuser, self.regular_user], 200)
+        self.assert_response(url, self.anonymous, 302)
+
     def test_get_settings_update(self):
         """Test UserSettingUpdateView GET"""
         url = reverse('userprofile:settings_update')
@@ -51,6 +58,13 @@ def test_get_settings_update_anon(self):
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, self.anonymous, 302)
 
+    def test_get_settings_update_read_only(self):
+        """Test UserSettingUpdateView GET with site read-only mode"""
+        self.set_site_read_only()
+        url = reverse('userprofile:settings_update')
+        self.assert_response(url, self.superuser, 200)
+        self.assert_response(url, [self.regular_user, self.anonymous], 302)
+
     def test_get_email_create(self):
         """Test UserEmailCreateView GET"""
         url = reverse('userprofile:email_create')
@@ -64,6 +78,13 @@ def test_get_email_create_anon(self):
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, self.anonymous, 302)
 
+    def test_get_email_create_read_only(self):
+        """Test UserEmailCreateView GET with site read-only mode"""
+        self.set_site_read_only()
+        url = reverse('userprofile:email_create')
+        self.assert_response(url, self.superuser, 200)
+        self.assert_response(url, [self.regular_user, self.anonymous], 302)
+
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     def test_get_email_create_target(self):
         """Test UserEmailCreateView GET as target site"""
@@ -92,6 +113,18 @@ def test_get_email_delete_anon(self):
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, [self.regular_user2, self.anonymous], 302)
 
+    def test_get_email_delete_read_only(self):
+        """Test UserEmailDeleteView GET with site read-only mode"""
+        self.set_site_read_only()
+        email = self.make_email(self.regular_user, ADD_EMAIL)
+        url = reverse(
+            'userprofile:email_delete',
+            kwargs={'sodaruseradditionalemail': email.sodar_uuid},
+        )
+        bad_users = [self.regular_user, self.regular_user2, self.anonymous]
+        self.assert_response(url, self.superuser, 200)
+        self.assert_response(url, bad_users, 302)
+
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     def test_get_email_delete_target(self):
         """Test UserEmailDeleteView GET as target site"""

userprofile/views.py

@@ -109,7 +109,7 @@ class UserSettingsView(
     """User settings update view"""
 
     form_class = UserSettingsForm
-    permission_required = 'userprofile.view_detail'
+    permission_required = 'userprofile.update_settings'
     template_name = 'userprofile/settings_form.html'
     success_url = reverse_lazy('userprofile:detail')