diff --git a/la_chariotte/order/templates/order/grouped_order_detail.html b/la_chariotte/order/templates/order/grouped_order_detail.html index 09613de..e8ef574 100644 --- a/la_chariotte/order/templates/order/grouped_order_detail.html +++ b/la_chariotte/order/templates/order/grouped_order_detail.html @@ -11,7 +11,19 @@

Organisateur·ice : {{ grouped_order.orga }}

Date de livraison : {{ grouped_order.delivery_date }}

- les produits disponibles pour cette commande groupée : + {% if not user.is_authenticated %} +

Vous êtes l'organisateur·ice de cette commande groupée ? + + Connectez-vous pour accéder à la page de gestion +

+ {% endif %} + + {% if user == grouped_order.orga %} + + Page de gestion de la comande groupée + {% endif %} + +

les produits disponibles pour cette commande groupée :

- Retour à la page de commande + Retour à la page de commande diff --git a/la_chariotte/order/tests/test_views.py b/la_chariotte/order/tests/test_views.py index a8766e4..b0a5f03 100644 --- a/la_chariotte/order/tests/test_views.py +++ b/la_chariotte/order/tests/test_views.py @@ -287,3 +287,60 @@ class TestGroupedOrderDetailView: assert item.ordered_nb == 1 order = Order.objects.first() assert order.ordered_items.count() == 1 + + +class TestGroupedOrderOrgaView: + def test_user_not_logged_redirect(self, client, other_user): + """ + A user that is not logged cannot see the GroupedOrderOrgaView. They get redirected to the login view + """ + grouped_order = create_grouped_order( + days_before_delivery_date=5, + days_before_deadline=2, + name="gr order test", + orga_user=other_user, + ) + orga_view_url = reverse( + "order:grouped_order_orga", + kwargs={ + "pk": grouped_order.pk, + }, + ) + assert auth.get_user(client).is_anonymous + response = client.get(orga_view_url) + assert response.status_code == 302 + assert response.url.startswith(reverse("login")) + assert response.url.endswith( + reverse( + "order:grouped_order_orga", + kwargs={ + "pk": grouped_order.pk, + }, + ) + ) + + def test_user_not_orga_redirect(self, client_log, other_user): + """ + A user that is not orga cannot see the GroupedOrderOrgaView. + They get a 403 forbidden error + """ + grouped_order = create_grouped_order( + days_before_delivery_date=5, + days_before_deadline=2, + name="gr order test", + orga_user=other_user, + ) + orga_view_url = reverse( + "order:grouped_order_orga", + kwargs={ + "pk": grouped_order.pk, + }, + ) + detail_view_url = reverse( + "order:grouped_order_detail", + kwargs={ + "pk": grouped_order.pk, + }, + ) + response = client_log.get(orga_view_url) + assert response.status_code == 403 diff --git a/la_chariotte/order/views.py b/la_chariotte/order/views.py index 2f3cd43..e6d4f68 100644 --- a/la_chariotte/order/views.py +++ b/la_chariotte/order/views.py @@ -1,4 +1,4 @@ -from django.contrib.auth.mixins import LoginRequiredMixin +from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin from django.http import HttpResponseRedirect from django.shortcuts import get_object_or_404, render from django.urls import reverse, reverse_lazy @@ -58,11 +58,16 @@ class GroupedOrderDetailView(generic.DetailView): context_object_name = "grouped_order" -class GroupedOrderOrgaView(generic.DetailView): +class GroupedOrderOrgaView(UserPassesTestMixin, generic.DetailView): """Overview of a grouped order, for the organizer""" model = GroupedOrder template_name = "order/grouped_order_orga.html" + context_object_name = "grouped_order" + + def test_func(self): + """Accessible only if the requesting user is the grouped order organizer""" + return self.get_object().orga == self.request.user def order(