Invite perms checks

This commit is contained in:
Mouse Reeve 2022-09-19 10:26:40 -07:00
parent 1e988cae6c
commit 9d8d85ebc1
3 changed files with 17 additions and 3 deletions

View file

@ -146,6 +146,13 @@ class SiteInvite(models.Model):
user = models.ForeignKey(User, on_delete=models.CASCADE)
invitees = models.ManyToManyField(User, related_name="invitees")
# pylint: disable=no-self-use
def raise_not_editable(self, viewer):
"""Admins only"""
if viewer.has_perm("bookwyrm.create_invites"):
return
raise PermissionDenied()
def valid(self):
"""make sure it hasn't expired or been used"""
return (self.expiry is None or self.expiry > timezone.now()) and (
@ -169,6 +176,12 @@ class InviteRequest(BookWyrmModel):
invite_sent = models.BooleanField(default=False)
ignored = models.BooleanField(default=False)
def raise_not_editable(self, viewer):
"""Only check perms on edit, not create"""
if not self.id or viewer.has_perm("bookwyrm.create_invites"):
return
raise PermissionDenied()
def save(self, *args, **kwargs):
"""don't create a request for a registered email"""
if not self.id and User.objects.filter(email=self.email).exists():

View file

@ -14,6 +14,7 @@ from bookwyrm.tests.validate_html import validate_html
class InviteViews(TestCase):
"""every response to a get request, html or json"""
# pylint: disable=invalid-name
def setUp(self):
"""we need basic test data and mocks"""
self.factory = RequestFactory()

View file

@ -52,9 +52,9 @@ class ManageInvites(View):
if not form.is_valid():
return HttpResponseBadRequest(f"ERRORS: {form.errors}")
invite = form.save(commit=False)
invite = form.save(request, commit=False)
invite.user = request.user
invite.save()
invite.save(request)
paginated = Paginator(
models.SiteInvite.objects.filter(user=request.user).order_by(
@ -170,7 +170,7 @@ class InviteRequest(View):
received = False
if form.is_valid():
received = True
form.save()
form.save(request)
data = {"request_form": form, "request_received": received}
return TemplateResponse(request, "landing/landing.html", data)