Fixed tests plus smarter implementation of #30

simonw · simonw · commit cae1050f3a0f · 2021-05-16T11:45:44.000-07:00
diff --git a/django_sql_dashboard/views.py b/django_sql_dashboard/views.py
@@ -6,7 +6,7 @@
 from urllib.parse import urlencode
 
 from django.conf import settings
-from django.contrib.auth.decorators import permission_required
+from django.contrib.auth.decorators import login_required
 from django.db import connections
 from django.db.utils import ProgrammingError
 from django.forms import CharField, ModelForm, Textarea
@@ -53,8 +53,10 @@ class Meta:
         }
 
 
-@permission_required("django_sql_dashboard.execute_sql", raise_exception=True)
+@login_required
 def dashboard_index(request):
+    if not request.user.has_perm("django_sql_dashboard.execute_sql"):
+        return HttpResponseForbidden("You do not have permission to execute SQL")
     sql_queries = []
     too_long_so_use_post = False
     save_form = SaveDashboardForm(prefix="_save")
diff --git a/test_project/test_dashboard_permissions.py b/test_project/test_dashboard_permissions.py
@@ -6,19 +6,12 @@
 from django_sql_dashboard.models import Dashboard
 
 
-def test_anonymous_users_denied(client):
+def test_anonymous_user_redirected_to_login(client):
     response = client.get("/dashboard/?sql=select+1")
     assert response.status_code == 302
     assert response.url == "/accounts/login/?next=/dashboard/%3Fsql%3Dselect%2B1"
 
 
-def test_user_without_permission_gets_403(client, dashboard_db):
-    user = User.objects.create(username="noperm", is_active=True, is_staff=True)
-    client.force_login(user)
-    response = client.get("/dashboard/")
-    assert response.status_code == 403
-
-
 def test_superusers_allowed(admin_client, dashboard_db):
     response = admin_client.get("/dashboard/")
     assert response.status_code == 200
@@ -38,9 +31,9 @@ def test_must_have_execute_sql_permission(
     staff_with_permission.user_permissions.add(execute_sql_permission)
     assert staff_with_permission.has_perm("django_sql_dashboard.execute_sql")
     client.force_login(not_staff)
-    assert client.get("/dashboard/").status_code == 302
+    assert client.get("/dashboard/").status_code == 403
     client.force_login(staff_no_permisssion)
-    assert client.get("/dashboard/").status_code == 302
+    assert client.get("/dashboard/").status_code == 403
     client.force_login(staff_with_permission)
     assert client.get("/dashboard/").status_code == 200
 
