BTHLABS-83: View association view raises 403 when opened as anonymous

Co-authored-by: Tomek Wójcik <labs@tomekwojcik.pl> Co-committed-by: Tomek Wójcik <labs@tomekwojcik.pl>
2026-03-12 16:26:54 +00:00
parent e2b2455bea
commit c842657766
2 changed files with 31 additions and 4 deletions
--- a/services/backend/hotpocket_backend/apps/ui/views/associations.py
+++ b/services/backend/hotpocket_backend/apps/ui/views/associations.py
@@ -5,6 +5,7 @@ import logging
 import uuid

 from django.contrib import messages
+from django.contrib.auth.views import redirect_to_login
 import django.db
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.shortcuts import redirect, render
@@ -26,7 +27,7 @@ from hotpocket_backend.apps.ui.forms.associations import (
    RefreshForm,
 )
 from hotpocket_backend.apps.ui.services import UIAssociationsService
-from hotpocket_common.constants import NULL_UUID, AssociationsSearchMode
+from hotpocket_common.constants import AssociationsSearchMode
 from hotpocket_soa.dto.associations import (
    AssociationOut,
    AssociationsQuery,
@@ -176,7 +177,9 @@ def view(request: HttpRequest, pk: uuid.UUID) -> HttpResponse:
        if is_share is True:
            account_uuid = None
        else:
-            account_uuid = NULL_UUID
+            return redirect_to_login(
+                reverse('ui.associations.view', args=(pk,)),
+            )
    else:
        if is_share is False:
            account_uuid = request.user.pk
--- a/services/backend/tests/ui/views/associations/test_view.py
+++ b/services/backend/tests/ui/views/associations/test_view.py
@@ -325,7 +325,19 @@ def test_inactive_account(inactive_account_client: Client,
    )

    # Then
-    assert result.status_code == http.HTTPStatus.FORBIDDEN
+    asserts.assertRedirects(
+        result,
+        reverse(
+            'ui.accounts.login',
+            query=[
+                (
+                    'next',
+                    reverse('ui.associations.view', args=(association_out.pk,)),
+                ),
+            ],
+        ),
+        fetch_redirect_response=False,
+    )


@pytest.mark.django_db
@@ -338,4 +350,16 @@ def test_anonymous(client: Client,
    )

    # Then
-    assert result.status_code == http.HTTPStatus.FORBIDDEN
+    asserts.assertRedirects(
+        result,
+        reverse(
+            'ui.accounts.login',
+            query=[
+                (
+                    'next',
+                    reverse('ui.associations.view', args=(association_out.pk,)),
+                ),
+            ],
+        ),
+        fetch_redirect_response=False,
+    )