Merge pull request #1012 from ae-utbm/fix-counter-access

Fix office counter access
ae-utbm · Jan 23, 2025 · 18967cf · 18967cf
2 parents c555d5c + 14ed43a
commit 18967cf
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 7 deletions.
diff --git a/counter/tests/test_counter.py b/counter/tests/test_counter.py
@@ -937,13 +937,23 @@ def test_logged_in_without_rights(self):
         assert res.status_code == 403
 
     def test_board_member(self):
+        """By default, board members should be able to click on office counters"""
         baker.make(Membership, club=self.counter.club, user=self.user, role=3)
         self.client.force_login(self.user)
         res = self.client.get(self.click_url)
         assert res.status_code == 200
 
     def test_barman(self):
+        """Sellers should be able to click on office counters"""
         self.counter.sellers.add(self.user)
         self.client.force_login(self.user)
         res = self.client.get(self.click_url)
-        assert res.status_code == 403
+        assert res.status_code == 200
+
+    def test_both_barman_and_board_member(self):
+        """If the user is barman and board member, he should be authorized as well."""
+        self.counter.sellers.add(self.user)
+        baker.make(Membership, club=self.counter.club, user=self.user, role=3)
+        self.client.force_login(self.user)
+        res = self.client.get(self.click_url)
+        assert res.status_code == 200
diff --git a/counter/views/click.py b/counter/views/click.py
@@ -142,15 +142,16 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
     """
 
     model = Counter
-    queryset = Counter.objects.annotate_is_open()
+    queryset = (
+        Counter.objects.exclude(type="EBOUTIC")
+        .annotate_is_open()
+        .select_related("club")
+    )
     form_class = BasketForm
     template_name = "counter/counter_click.jinja"
     pk_url_kwarg = "counter_id"
     current_tab = "counter"
 
-    def get_queryset(self):
-        return super().get_queryset().exclude(type="EBOUTIC").annotate_is_open()
-
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
         kwargs["form_kwargs"] = {
@@ -168,9 +169,15 @@ def dispatch(self, request, *args, **kwargs):
             return redirect(obj)  # Redirect to counter
 
         if obj.type == "OFFICE" and (
-            obj.sellers.filter(pk=request.user.pk).exists()
-            or not obj.club.has_rights_in_club(request.user)
+            request.user.is_anonymous
+            or not (
+                obj.sellers.contains(request.user)
+                or obj.club.has_rights_in_club(request.user)
+            )
         ):
+            # To be able to click on an office counter,
+            # a user must either be in the board of the club that own the counter
+            # or a seller of this counter.
             raise PermissionDenied
 
         if obj.type == "BAR" and (