tomekwojcik/hotpocket
1
0
Fork 0
Code Actions Releases 19 Wiki Activity

BTHLABS-83: View association view raises 403 when opened as anonymous

Browse Source 
Co-authored-by: Tomek Wójcik <labs@tomekwojcik.pl>
Co-committed-by: Tomek Wójcik <labs@tomekwojcik.pl>
This commit is contained in:
Tomek Wójcik
2026-03-12 16:26:54 +00:00
committed by Tomek Wójcik
parent e2b2455bea
commit c842657766
2 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
services/backend/hotpocket_backend/apps/ui/views/associations.py
View File

@@ -5,6 +5,7 @@ import logging
import uuid import uuid
from django.contrib import messages from django.contrib import messages
from django.contrib.auth.views import redirect_to_login
import django.db import django.db
from django.http import HttpRequest, HttpResponse, JsonResponse from django.http import HttpRequest, HttpResponse, JsonResponse
from django.shortcuts import redirect, render from django.shortcuts import redirect, render
@@ -26,7 +27,7 @@ from hotpocket_backend.apps.ui.forms.associations import (
RefreshForm, RefreshForm,
) )
from hotpocket_backend.apps.ui.services import UIAssociationsService from hotpocket_backend.apps.ui.services import UIAssociationsService
from hotpocket_common.constants import NULL_UUID, AssociationsSearchMode from hotpocket_common.constants import AssociationsSearchMode
from hotpocket_soa.dto.associations import ( from hotpocket_soa.dto.associations import (
AssociationOut, AssociationOut,
AssociationsQuery, AssociationsQuery,
@@ -176,7 +177,9 @@ def view(request: HttpRequest, pk: uuid.UUID) -> HttpResponse:
if is_share is True: if is_share is True:
account_uuid = None account_uuid = None
else: else:
account_uuid = NULL_UUID return redirect_to_login(
reverse('ui.associations.view', args=(pk,)),
)
else: else:
if is_share is False: if is_share is False:
account_uuid = request.user.pk account_uuid = request.user.pk

28
services/backend/tests/ui/views/associations/test_view.py
View File

@@ -325,7 +325,19 @@ def test_inactive_account(inactive_account_client: Client,
) )
# Then # Then
assert result.status_code == http.HTTPStatus.FORBIDDEN asserts.assertRedirects(
result,
reverse(
'ui.accounts.login',
query=[
(
'next',
reverse('ui.associations.view', args=(association_out.pk,)),
),
],
),
fetch_redirect_response=False,
)
@pytest.mark.django_db @pytest.mark.django_db
@@ -338,4 +350,16 @@ def test_anonymous(client: Client,
) )
# Then # Then
assert result.status_code == http.HTTPStatus.FORBIDDEN asserts.assertRedirects(
result,
reverse(
'ui.accounts.login',
query=[
(
'next',
reverse('ui.associations.view', args=(association_out.pk,)),
),
],
),
fetch_redirect_response=False,
)