Require auth for saved dashboards too, fixes #37

simonw · Mar 16, 2021 · 678576c · 678576c
1 parent 831bd76
commit 678576c
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 8 deletions.
diff --git a/conftest.py b/conftest.py
@@ -2,7 +2,7 @@
 
 
 @pytest.fixture
-def dashboard_db(settings):
+def dashboard_db(settings, db):
     settings.DATABASES["dashboard"]["OPTIONS"] = {
         "options": "-c default_transaction_read_only=on -c statement_timeout=100"
     }
diff --git a/django_sql_dashboard/views.py b/django_sql_dashboard/views.py
@@ -164,6 +164,7 @@ def _dashboard_index(
     )
 
 
+@permission_required("django_sql_dashboard.execute_sql")
 def dashboard(request, slug):
     dashboard = get_object_or_404(Dashboard, slug=slug)
     return _dashboard_index(

diff --git a/test_project/test_dashboard.py b/test_project/test_dashboard.py
@@ -21,19 +21,15 @@ def test_dashboard_submit_sql(admin_client, dashboard_db):
 
 
 def test_saved_dashboard(client, admin_client, dashboard_db):
-    assert client.get("/dashboard/test/").status_code == 404
+    assert admin_client.get("/dashboard/test/").status_code == 404
     dashboard = Dashboard.objects.create(slug="test")
     dashboard.queries.create(sql="select 11 + 33")
     dashboard.queries.create(sql="select 22 + 55")
-    response = client.get("/dashboard/test/")
+    response = admin_client.get("/dashboard/test/")
     assert response.status_code == 200
     assert b"44" in response.content
     assert b"77" in response.content
-    # The admin user should get >count< links, but anon should not
-    assert b">count<" not in response.content
-    admin_response = admin_client.get("/dashboard/test/")
-    assert admin_response.status_code == 200
-    assert b">count<" in admin_response.content
+    assert b">count<" in response.content
 
 
 def test_many_long_column_names(admin_client, dashboard_db):

diff --git a/test_project/test_dashboard_permissions.py b/test_project/test_dashboard_permissions.py
@@ -1,4 +1,5 @@
 from django.contrib.auth.models import Permission
+from django_sql_dashboard.models import Dashboard
 
 
 def test_anonymous_users_denied(client):
@@ -34,3 +35,19 @@ def test_must_have_execute_sql_permission(client, django_user_model, dashboard_d
     assert client.get("/dashboard/").status_code == 302
     client.force_login(staff_with_permission)
     assert client.get("/dashboard/").status_code == 200
+
+
+def test_saved_dashboard_anonymous_users_denied(client, dashboard_db):
+    dashboard = Dashboard.objects.create(slug="test")
+    dashboard.queries.create(sql="select 11 + 34")
+    response = client.get("/dashboard/test/")
+    assert response.status_code == 302
+    assert response.url == "/accounts/login/?next=/dashboard/test/"
+
+
+def test_saved_dashboard_superusers_allowed(admin_client, dashboard_db):
+    dashboard = Dashboard.objects.create(slug="test")
+    dashboard.queries.create(sql="select 11 + 34")
+    response = admin_client.get("/dashboard/test/")
+    assert response.status_code == 200
+    assert b"45" in response.content