From f61d7b5db03bee8d6b6ea6c367d0b0af30b35f49 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Fri, 29 Apr 2022 15:47:18 +0200
Subject: [PATCH] Make test pass and make sure staff cannot access hijack.

---
 hypha/apply/users/tests/test_views.py | 4 ++--
 hypha/apply/users/urls.py             | 7 +------
 hypha/apply/users/views.py            | 5 ++++-
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/hypha/apply/users/tests/test_views.py b/hypha/apply/users/tests/test_views.py
index 90e6bbe91..190ee006d 100644
--- a/hypha/apply/users/tests/test_views.py
+++ b/hypha/apply/users/tests/test_views.py
@@ -74,9 +74,9 @@ class TestBecome(TestCase):
         response = self.client.post(url, {'user_pk': target.pk}, follow=True, secure=True)
         return response
 
-    def test_staff_can_become_user(self):
+    def test_staff_cannot_become_user(self):
         response = self.become_request(self.staff, self.user)
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 403)
 
     def test_staff_cannot_become_superuser(self):
         response = self.become_request(self.staff, self.superuser)
diff --git a/hypha/apply/users/urls.py b/hypha/apply/users/urls.py
index 53273023e..94bc9bb2f 100644
--- a/hypha/apply/users/urls.py
+++ b/hypha/apply/users/urls.py
@@ -1,4 +1,3 @@
-from django.conf import settings
 from django.contrib.auth import views as auth_views
 from django.urls import include, path, reverse_lazy
 
@@ -38,6 +37,7 @@ public_urlpatterns = [
 urlpatterns = [
     path('account/', include([
         path('', AccountView.as_view(), name='account'),
+        path('become/', become, name='become'),
         path('password/', include([
             path('', EmailChangePasswordView.as_view(), name='email_change_confirm_password'),
             path(
@@ -94,8 +94,3 @@ urlpatterns = [
         path('oauth', oauth, name='oauth'),
     ])),
 ]
-
-if settings.HIJACK_ENABLE:
-    urlpatterns += [
-        path('account/become/', become, name='become'),
-    ]
diff --git a/hypha/apply/users/views.py b/hypha/apply/users/views.py
index 7a520c643..d8e85fa04 100644
--- a/hypha/apply/users/views.py
+++ b/hypha/apply/users/views.py
@@ -159,7 +159,10 @@ class EmailChangeDoneView(TemplateView):
 
 @login_required()
 def become(request):
-    if not request.user.is_apply_staff:
+    if not settings.HIJACK_ENABLE:
+        raise PermissionDenied()
+
+    if not request.user.is_superuser:
         raise PermissionDenied()
 
     id = request.POST.get('user_pk')
-- 
GitLab