Correctly check for permissions on user owned petitions for signature…

… related views
pytition · Jun 10, 2020 · 9785fcb · 9785fcb
1 parent ab2499a
commit 9785fcb
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/pytition/petition/tests/tests_SignatureViews.py b/pytition/petition/tests/tests_SignatureViews.py
@@ -162,8 +162,8 @@ def test_show_signatures_post_deleteKONoRightsUser(self):
             'signature_id': [sid],
         }
         response = self.client.post(reverse("show_signatures", args=[pid]), data, follow=True)
-        self.assertRedirects(response, reverse("show_signatures", args=[pid]))
-        self.assertTemplateUsed(response, "petition/signature_data.html")
+        self.assertRedirects(response, reverse("user_dashboard"))
+        self.assertTemplateUsed(response, "petition/user_dashboard.html")
         s = Signature.objects.get(pk=sid)
         self.assertEquals(s.id, sid) # dummy test, we just want the previous line not to raise a DoesNotExist exception
         messages = response.context['messages']

diff --git a/pytition/petition/views.py b/pytition/petition/views.py
@@ -197,8 +197,9 @@ def get_csv_signature(request, petition_id, only_confirmed):
     except Petition.DoesNotExist:
         return JsonResponse({}, status=404)
 
-    if petition.owner_type == "org":
-        if not petition.org.is_allowed_to(user, "can_view_signatures"):
+    if petition.owner_type == "org" and not petition.org.is_allowed_to(user, "can_view_signatures"):
+            return JsonResponse({}, status=403)
+    elif petition.owner_type == "user" and petition.owner != user:
             return JsonResponse({}, status=403)
 
     filename = '{}.csv'.format(petition)
@@ -1310,6 +1311,9 @@ def show_signatures(request, petition_id):
 
     if petition.owner_type == "user":
         base_template = 'petition/user_base.html'
+        if petition.user != pytitionuser:
+            messages.error(request, _("You are not allowed to view this petition's signatures."))
+            return redirect("user_dashboard")
     else:
         org = petition.org
         base_template = 'petition/org_base.html'
@@ -1345,10 +1349,7 @@ def show_signatures(request, petition_id):
                         else:
                             failed = True
                     else: # Petition is owned by a user, we check it's the one asking for deletion
-                        if pet.user == pytitionuser:
-                            s.delete()
-                        else:
-                            failed = True
+                        s.delete()
                 if failed:
                     messages.error(request, _("You don't have permission to delete some or all of selected signatures"))
                 else: