Allow staff to view all reviews and redirect to login if anon user access....

Allow staff to view all reviews and redirect to login if anon user access. Avoid AnonymousUser has no attribute is_apply_staff errors.

Allow staff to view all reviews and redirect to login if anon user access....
68b573f2 · Fredrik Jonsson · ca1297c1 · 68b573f2 · 68b573f2
Commit 68b573f2 authored 6 years ago by Fredrik Jonsson
--- a/opentech/apply/review/tests/test_views.py
+++ b/opentech/apply/review/tests/test_views.py
@@ -24,11 +24,11 @@ class StaffReviewsTestCase(BaseViewTestCase):
        self.assertContains(response, self.user.full_name)
        self.assertContains(response, reverse('funds:submissions:detail', kwargs={'pk': review.submission.id}))

-    def test_cant_access_other_review(self):
+    def test_can_access_other_review(self):
        submission = ApplicationSubmissionFactory()
        review = ReviewFactory(submission=submission)
        response = self.get_page(review)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)


 class StaffReviewListingTestCase(BaseViewTestCase):

--- a/opentech/apply/review/views.py
+++ b/opentech/apply/review/views.py
+from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404
@@ -38,6 +39,7 @@ def get_fields_for_stage(submission):
        return forms[0].form.form_fields


+@method_decorator(login_required, name='dispatch')
 class ReviewCreateOrUpdateView(BaseStreamForm, CreateOrUpdateView):
    submission_form_class = ReviewModelForm
    model = Review
@@ -97,6 +99,7 @@ class ReviewCreateOrUpdateView(BaseStreamForm, CreateOrUpdateView):
        return self.submission.get_absolute_url()


+@method_decorator(login_required, name='dispatch')
 class ReviewDetailView(DetailView):
    model = Review

@@ -104,7 +107,7 @@ class ReviewDetailView(DetailView):
        review = self.get_object()
        author = review.author

-        if request.user != author and not request.user.is_superuser and request.user != review.submission.lead:
+        if request.user != author and not request.user.is_superuser and not request.user.is_apply_staff:
            raise PermissionDenied

        if review.is_draft: