Use raise_exception option of permission_required everywhere

MatMoore · MatMoore · commit 17156b42cae1 · 2026-03-10T11:39:19.000Z
We now have friendly error pages, including one for 403 errors.

Previously, if the user wasn't permitted to do something, they would be
redirected back to login without an explanation. This is confusing
for users, so let's show the error page instead.

Note: in most cases we should not be linking to something the user
cannot access, but I'm aware of at least 1 bug where we are,
and hopefully this will make it more obvious what needs fixing.
diff --git a/manage_breast_screening/mammograms/tests/views/test_appointment_workflow_views.py b/manage_breast_screening/mammograms/tests/views/test_appointment_workflow_views.py
@@ -11,7 +11,6 @@
     assertRedirects,
 )
 
-from manage_breast_screening.config.settings import LOGIN_URL
 from manage_breast_screening.core.models import AuditLog
 from manage_breast_screening.dicom.models import Study as DicomStudy
 from manage_breast_screening.dicom.tests.factories import (
@@ -532,7 +531,7 @@ def test_user_not_permitted(self, administrative_user_client):
         )
         url = reverse("mammograms:start_appointment", kwargs={"pk": appointment.pk})
         response = administrative_user_client.http.post(url)
-        assertRedirects(response, reverse(LOGIN_URL, query={"next": url}))
+        assert response.status_code == 403
 
 
 @pytest.mark.django_db
@@ -792,7 +791,7 @@ def test_user_not_permitted(self, administrative_user_client, paused_appointment
             "mammograms:resume_appointment", kwargs={"pk": paused_appointment.pk}
         )
         response = administrative_user_client.http.post(url)
-        assertRedirects(response, reverse(LOGIN_URL, query={"next": url}))
+        assert response.status_code == 403
 
 
 @pytest.mark.django_db
diff --git a/manage_breast_screening/mammograms/views/appointment_workflow_views.py b/manage_breast_screening/mammograms/views/appointment_workflow_views.py
@@ -306,7 +306,7 @@ def check_in(request, pk):
 
 
 @require_http_methods(["POST"])
-@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT)
+@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT, raise_exception=True)
 def start_appointment(request, pk):
     try:
         provider = request.user.current_provider
@@ -320,7 +320,7 @@ def start_appointment(request, pk):
 
 
 @require_http_methods(["POST"])
-@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT)
+@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT, raise_exception=True)
 def resume_appointment(request, pk):
     try:
         provider = request.user.current_provider
diff --git a/manage_breast_screening/mammograms/views/mammogram_views.py b/manage_breast_screening/mammograms/views/mammogram_views.py
@@ -40,7 +40,7 @@
 logger = logging.getLogger(__name__)
 
 
-@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT)
+@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT, raise_exception=True)
 def appointment_should_not_proceed(
     request, appointment_pk, participant_reported_mammogram_pk
 ):
@@ -103,7 +103,7 @@ def appointment_should_not_proceed(
 
 
 @require_http_methods(["POST"])
-@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT)
+@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT, raise_exception=True)
 def attended_not_screened(request, appointment_pk):
     provider = request.user.current_provider
     try:
@@ -125,6 +125,7 @@ class AppointmentProceedAnywayView(
     template_name = "mammograms/proceed_anyway.jinja"
     thing_name = "a previous mammogram"
     permission_required = Permission.DO_MAMMOGRAM_APPOINTMENT
+    raise_exception = True
 
     def update_title(self, thing_name):
         return "You are continuing despite a recent mammogram"
@@ -188,7 +189,7 @@ def get_context_data(self, **kwargs):
 
 
 @require_http_methods(["GET"])
-@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT)
+@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT, raise_exception=True)
 def check_information(request, pk):
     provider = request.user.current_provider
     try:
@@ -216,7 +217,7 @@ def check_information(request, pk):
 
 
 @require_http_methods(["POST"])
-@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT)
+@permission_required(Permission.DO_MAMMOGRAM_APPOINTMENT, raise_exception=True)
 def complete_screening(request, pk):
     provider = request.user.current_provider
     try:
diff --git a/manage_breast_screening/mammograms/views/mixins.py b/manage_breast_screening/mammograms/views/mixins.py
@@ -77,6 +77,7 @@ class InProgressAppointmentMixin(PermissionRequiredMixin, AppointmentMixin):
     """
 
     permission_required = Permission.DO_MAMMOGRAM_APPOINTMENT
+    raise_exception = True
 
     def dispatch(self, request, *args, **kwargs):
         appointment = self.appointment  # type: ignore

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,6 @@`
`11`	`11`	`assertRedirects,`
`12`	`12`	`)`
`13`	`13`
`14`		`-from manage_breast_screening.config.settings import LOGIN_URL`
`15`	`14`	`from manage_breast_screening.core.models import AuditLog`
`16`	`15`	`from manage_breast_screening.dicom.models import Study as DicomStudy`
`17`	`16`	`from manage_breast_screening.dicom.tests.factories import (`
`@@ -532,7 +531,7 @@ def test_user_not_permitted(self, administrative_user_client):`
`532`	`531`	`)`
`533`	`532`	`url = reverse("mammograms:start_appointment", kwargs={"pk": appointment.pk})`
`534`	`533`	`response = administrative_user_client.http.post(url)`
`535`		`- assertRedirects(response, reverse(LOGIN_URL, query={"next": url}))`
	`534`	`+ assert response.status_code == 403`
`536`	`535`
`537`	`536`
`538`	`537`	`@pytest.mark.django_db`
`@@ -792,7 +791,7 @@ def test_user_not_permitted(self, administrative_user_client, paused_appointment`
`792`	`791`	`"mammograms:resume_appointment", kwargs={"pk": paused_appointment.pk}`
`793`	`792`	`)`
`794`	`793`	`response = administrative_user_client.http.post(url)`
`795`		`- assertRedirects(response, reverse(LOGIN_URL, query={"next": url}))`
	`794`	`+ assert response.status_code == 403`
`796`	`795`
`797`	`796`
`798`	`797`	`@pytest.mark.django_db`