From 8335b3bd113bbe6b4436b2db265f26f098cb3cd8 Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Wed, 11 May 2016 21:19:25 -0400 Subject: [PATCH] Hard-code an HR auth group for Team Gratipay(!) --- tests/py/test_identity_pages.py | 9 +++++++-- www/~/%username/identities/%country.spt | 7 +++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/tests/py/test_identity_pages.py b/tests/py/test_identity_pages.py index 0c76276581..7aa5f47166 100644 --- a/tests/py/test_identity_pages.py +++ b/tests/py/test_identity_pages.py @@ -7,6 +7,8 @@ class Tests(Harness): def setUp(self): self.make_participant('alice', claimed_time='now', is_admin=True) + self.make_participant('whit537', id=1451, email_address='chad@zetaweb.com', + claimed_time='now', is_admin=True) self.make_participant('bob', claimed_time='now', email_address='bob@example.com') self.verify('bob', 'TT') @@ -52,8 +54,11 @@ def test_ip_is_403_for_non_admin(self): def test_ip_is_200_for_self(self): assert self.client.GET('/~bob/identities/TT', auth_as='bob').code == 200 - def test_ip_is_200_for_admin(self): - assert self.client.GET('/~bob/identities/TT', auth_as='alice').code == 200 + def test_ip_is_403_for_most_admins(self): + assert self.client.GxT('/~bob/identities/TT', auth_as='alice').code == 403 + + def test_ip_is_200_for_whit537_yikes(self): + assert self.client.GET('/~bob/identities/TT', auth_as='whit537').code == 200 def test_ip_is_404_for_unknown_code(self): assert self.client.GxT('/~bob/identities/XX', auth_as='bob').code == 404 diff --git a/www/~/%username/identities/%country.spt b/www/~/%username/identities/%country.spt index e86306c9c0..85c0c75d1e 100644 --- a/www/~/%username/identities/%country.spt +++ b/www/~/%username/identities/%country.spt @@ -4,6 +4,13 @@ from gratipay.models.country import Country [---] participant = get_participant(state, restrict=True) +# hard-code HR auth group for Team Gratipay O.O +if participant != user.participant: + w = user.participant + assert user.ADMIN, w.username # sanity check + if (w.id, w.username, w.email_address) != (1451, 'whit537', 'chad@zetaweb.com'): + raise Response(403) + # require email if not participant.email_address: website.redirect('/about/me/emails/')