diff --git a/hypha/apply/users/tests/test_views.py b/hypha/apply/users/tests/test_views.py
index a1bea58c49ca8ad035a910cffa32cff44a35c8e3..52f70dbc6a04496f6f46c8ffa2c638bcf0fe9ade 100644
--- a/hypha/apply/users/tests/test_views.py
+++ b/hypha/apply/users/tests/test_views.py
@@ -74,9 +74,9 @@ class TestBecome(TestCase):
response = self.client.post(url, {'user_pk': target.pk}, follow=True, secure=True)
return response
- def test_staff_can_become_user(self):
+ def test_staff_cannot_become_user(self):
response = self.become_request(self.staff, self.user)
- self.assertEqual(response.status_code, 200)
+ self.assertEqual(response.status_code, 403)
def test_staff_cannot_become_superuser(self):
response = self.become_request(self.staff, self.superuser)
diff --git a/hypha/apply/users/urls.py b/hypha/apply/users/urls.py
index 94bc9bb2ff835b4cdd36f589eafe7aeab3d1983b..53273023e6ec5e9573f0e2f3d35bf975cd517a9b 100644
--- a/hypha/apply/users/urls.py
+++ b/hypha/apply/users/urls.py
@@ -1,3 +1,4 @@
+from django.conf import settings
from django.contrib.auth import views as auth_views
from django.urls import include, path, reverse_lazy
@@ -37,7 +38,6 @@ public_urlpatterns = [
urlpatterns = [
path('account/', include([
path('', AccountView.as_view(), name='account'),
- path('become/', become, name='become'),
path('password/', include([
path('', EmailChangePasswordView.as_view(), name='email_change_confirm_password'),
path(
@@ -94,3 +94,8 @@ urlpatterns = [
path('oauth', oauth, name='oauth'),
])),
]
+
+if settings.HIJACK_ENABLE:
+ urlpatterns += [
+ path('account/become/', become, name='become'),
+ ]
diff --git a/hypha/apply/users/views.py b/hypha/apply/users/views.py
index 6bf3241b353e8be114120cc3ad00fb8d7cccfa76..1cf30f5270d6a60d6c68264acca9a2a42837ae97 100644
--- a/hypha/apply/users/views.py
+++ b/hypha/apply/users/views.py
@@ -89,7 +89,7 @@ class AccountView(UpdateView):
return reverse_lazy('users:account')
def get_context_data(self, **kwargs):
- if self.request.user.is_superuser:
+ if self.request.user.is_superuser and settings.HIJACK_ENABLE:
swappable_form = BecomeUserForm()
else:
swappable_form = None
@@ -159,7 +159,10 @@ class EmailChangeDoneView(TemplateView):
@login_required()
def become(request):
- if not request.user.is_apply_staff:
+ if not settings.HIJACK_ENABLE:
+ raise Http404(_('Hijack feature is not enabled.'))
+
+ if not request.user.is_superuser:
raise PermissionDenied()
id = request.POST.get('user_pk')
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 8eb1f01fade095472701ffc1c85bd721e15fb794..845ef28b72e2c0ee0a2f5b115ce16612e3a3ea7b 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -143,10 +143,10 @@ MIDDLEWARE = [
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
'django_otp.middleware.OTPMiddleware',
+ 'hypha.apply.users.middleware.TwoFactorAuthenticationMiddleware',
'hijack.middleware.HijackUserMiddleware',
- 'hypha.apply.users.middleware.TwoFactorAuthenticationMiddleware',
'hypha.apply.users.middleware.SocialAuthExceptionMiddleware',
'wagtail.contrib.redirects.middleware.RedirectMiddleware',
@@ -497,6 +497,7 @@ FILE_ALLOWED_EXTENSIONS = ['doc', 'docx', 'odp', 'ods', 'odt', 'pdf', 'ppt', 'pp
FILE_ACCEPT_ATTR_VALUE = ', '.join(['.' + ext for ext in FILE_ALLOWED_EXTENSIONS])
# Hijack Settings
+HIJACK_ENABLE = env.bool('HIJACK_ENABLE', False)
HIJACK_LOGIN_REDIRECT_URL = '/dashboard/'
HIJACK_LOGOUT_REDIRECT_URL = '/account/'
HIJACK_DECORATOR = 'hypha.apply.users.decorators.superuser_decorator'
diff --git a/hypha/settings/test.py b/hypha/settings/test.py
index 1d913795abb604266204c36627b4f05d42358e15..e4936bbfb355f67645f8f151eb9ab0b6ba5bd2ca 100644
--- a/hypha/settings/test.py
+++ b/hypha/settings/test.py
@@ -9,6 +9,8 @@ logging.disable(logging.CRITICAL)
SECRET_KEY = 'NOT A SECRET'
+HIJACK_ENABLE = True
+
PROJECTS_ENABLED = True
PROJECTS_AUTO_CREATE = True