From b2956e42d3540634a28acc6f1b7b492cfa999a45 Mon Sep 17 00:00:00 2001 From: Marie PUPO JEAMMET Date: Wed, 6 Mar 2024 16:06:59 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=82(abilities)=20fix=20anonymous=20and?= =?UTF-8?q?=20unrelated=20users=20accessing=20resources?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The function computing abilities return "True" for method get, even if role of request user was None. --- src/backend/core/models.py | 2 +- src/backend/core/tests/test_models_teams.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/backend/core/models.py b/src/backend/core/models.py index a2d46dc..ddc9983 100644 --- a/src/backend/core/models.py +++ b/src/backend/core/models.py @@ -355,7 +355,7 @@ class Team(BaseModel): is_owner_or_admin = role in [RoleChoices.OWNER, RoleChoices.ADMIN] return { - "get": True, + "get": bool(role), "patch": is_owner_or_admin, "put": is_owner_or_admin, "delete": role == RoleChoices.OWNER, diff --git a/src/backend/core/tests/test_models_teams.py b/src/backend/core/tests/test_models_teams.py index dfc6008..05ab0cb 100644 --- a/src/backend/core/tests/test_models_teams.py +++ b/src/backend/core/tests/test_models_teams.py @@ -62,7 +62,7 @@ def test_models_teams_get_abilities_anonymous(): abilities = team.get_abilities(AnonymousUser()) assert abilities == { "delete": False, - "get": True, + "get": False, "patch": False, "put": False, "manage_accesses": False, @@ -75,7 +75,7 @@ def test_models_teams_get_abilities_authenticated(): abilities = team.get_abilities(factories.UserFactory()) assert abilities == { "delete": False, - "get": True, + "get": False, "patch": False, "put": False, "manage_accesses": False,