Merge pull request #2752 from dandi/dashboard-required-perm

Update dashboard permissions

Author: jjnesbitt

dandiapi/api/tests/test_dashboard.py

@@ -0,0 +1,84 @@
+from __future__ import annotations
+
+import pytest
+
+from dandiapi.api.tests.factories import UserFactory
+
+
+@pytest.mark.parametrize(
+    ('is_staff', 'is_superuser'),
+    [
+        (False, False),
+        (False, True),
+        (True, False),
+        (True, True),
+    ],
+)
+@pytest.mark.django_db
+def test_dashboard_access(api_client, is_staff, is_superuser):
+    user = UserFactory.create(is_staff=is_staff, is_superuser=is_superuser)
+    api_client.force_login(user)
+    resp = api_client.get('/dashboard/')
+
+    should_pass = is_staff or is_superuser
+    assert resp.status_code == (200 if should_pass else 403)
+
+
+@pytest.mark.django_db
+def test_dashboard_access_unauthenticated(api_client):
+    resp = api_client.get('/dashboard/')
+    assert resp.status_code == 302
+
+
+@pytest.mark.parametrize(
+    ('is_staff', 'is_superuser'),
+    [
+        (False, False),
+        (False, True),
+        (True, False),
+        (True, True),
+    ],
+)
+@pytest.mark.django_db
+def test_user_approval_access(api_client, is_staff, is_superuser):
+    user = UserFactory.create(is_staff=is_staff, is_superuser=is_superuser)
+    api_client.force_login(user)
+
+    other_user = UserFactory.create()
+    resp = api_client.get(f'/dashboard/user/{other_user.username}/')
+
+    should_pass = is_staff or is_superuser
+    assert resp.status_code == (200 if should_pass else 403)
+
+
+@pytest.mark.django_db
+def test_user_approval_access_unauthenticated(api_client):
+    other_user = UserFactory.create()
+    resp = api_client.get(f'/dashboard/user/{other_user.username}/')
+    assert resp.status_code == 302
+
+
+@pytest.mark.parametrize(
+    ('is_staff', 'is_superuser'),
+    [
+        (False, False),
+        (False, True),
+        (True, False),
+        (True, True),
+    ],
+)
+@pytest.mark.django_db
+def test_mailchimp_view_access(api_client, is_staff, is_superuser):
+    user = UserFactory.create(is_staff=is_staff, is_superuser=is_superuser)
+    api_client.force_login(user)
+
+    resp = api_client.get('/dashboard/mailchimp/')
+
+    should_pass = is_staff or is_superuser
+    assert resp.status_code == (200 if should_pass else 403)
+
+
+@pytest.mark.django_db
+def test_mailchimp_view_access_unauthenticated(api_client):
+    resp = api_client.get('/dashboard/mailchimp/')
+    assert resp.status_code == 403

dandiapi/api/views/dashboard.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import csv
+import typing
 from typing import TYPE_CHECKING
 
 from django.conf import settings
@@ -25,7 +26,8 @@
 
 class DashboardMixin(LoginRequiredMixin, UserPassesTestMixin):
     def test_func(self):
-        return self.request.user.is_superuser
+        user = typing.cast('User', self.request.user)
+        return user.is_staff or user.is_superuser
 
 
 class DashboardView(DashboardMixin, TemplateView):
@@ -87,6 +89,10 @@ def _users(self):
 
 def mailchimp_csv_view(request: HttpRequest) -> StreamingHttpResponse:
     """Generate a Mailchimp-compatible CSV file of all active users."""
+    # If they are authenticated but are not a superuser or staff, deny access
+    if not (request.user.is_superuser or request.user.is_staff):
+        raise PermissionDenied
+
     # Exclude the django-guardian anonymous user account.
     users = User.objects.filter(metadata__status=UserMetadata.Status.APPROVED).exclude(
         username='AnonymousUser'
@@ -125,8 +131,8 @@ def user_approval_view(request: HttpRequest, username: str):
     if not request.user.is_authenticated:
         return HttpResponseRedirect(redirect_to=f'{settings.LOGIN_URL}?next={request.path}')
 
-    # If they are authenticated but are not a superuser, deny access
-    if not request.user.is_superuser:
+    # If they are authenticated but are not a superuser or staff, deny access
+    if not (request.user.is_superuser or request.user.is_staff):
         raise PermissionDenied
 
     user: User = get_object_or_404(User.objects.select_related('metadata'), username=username)