From 68b573f2c05f4f2f43e4fef9b0d2f3f074ea9582 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Fri, 14 Sep 2018 10:09:23 +0200
Subject: [PATCH] Allow staff to view all reviews and redirect to login if anon
 user access. Avoid AnonymousUser has no attribute is_apply_staff errors.

---
 opentech/apply/review/tests/test_views.py | 4 ++--
 opentech/apply/review/views.py            | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/opentech/apply/review/tests/test_views.py b/opentech/apply/review/tests/test_views.py
index 682500b50..d9d3b9453 100644
--- a/opentech/apply/review/tests/test_views.py
+++ b/opentech/apply/review/tests/test_views.py
@@ -24,11 +24,11 @@ class StaffReviewsTestCase(BaseViewTestCase):
         self.assertContains(response, self.user.full_name)
         self.assertContains(response, reverse('funds:submissions:detail', kwargs={'pk': review.submission.id}))
 
-    def test_cant_access_other_review(self):
+    def test_can_access_other_review(self):
         submission = ApplicationSubmissionFactory()
         review = ReviewFactory(submission=submission)
         response = self.get_page(review)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
 
 
 class StaffReviewListingTestCase(BaseViewTestCase):
diff --git a/opentech/apply/review/views.py b/opentech/apply/review/views.py
index 70a3ad13c..da2b4fee7 100644
--- a/opentech/apply/review/views.py
+++ b/opentech/apply/review/views.py
@@ -1,3 +1,4 @@
+from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404
@@ -38,6 +39,7 @@ def get_fields_for_stage(submission):
         return forms[0].form.form_fields
 
 
+@method_decorator(login_required, name='dispatch')
 class ReviewCreateOrUpdateView(BaseStreamForm, CreateOrUpdateView):
     submission_form_class = ReviewModelForm
     model = Review
@@ -97,6 +99,7 @@ class ReviewCreateOrUpdateView(BaseStreamForm, CreateOrUpdateView):
         return self.submission.get_absolute_url()
 
 
+@method_decorator(login_required, name='dispatch')
 class ReviewDetailView(DetailView):
     model = Review
 
@@ -104,7 +107,7 @@ class ReviewDetailView(DetailView):
         review = self.get_object()
         author = review.author
 
-        if request.user != author and not request.user.is_superuser and request.user != review.submission.lead:
+        if request.user != author and not request.user.is_superuser and not request.user.is_apply_staff:
             raise PermissionDenied
 
         if review.is_draft:
-- 
GitLab