Skip to content

Commit 30d5348

Browse files
committed
fix: csv endpoints incorrectly responding with 403
The logic for authenticating admin (staff) users was refactored previously. Along this users were migrated from using Django's is_staff to using a custom is_event_staff. The ExportReportCsvView was not updated to reflect this change, which resulted in admin users receiving 403 errors when attempting to download CSV files. refs: PT-1812, PT-1942
1 parent e473ece commit 30d5348

2 files changed

Lines changed: 18 additions & 9 deletions

File tree

reports/tests/test_views.py

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -396,8 +396,8 @@ def test_export_persons_csv_data(
396396
PERSONS_BATCH_COUNT = 2
397397
person_1, person_2 = PersonFactory.create_batch(PERSONS_BATCH_COUNT)
398398

399-
admin_user = UserFactory(is_staff=True)
400-
user = UserFactory(is_staff=False)
399+
admin_user = UserFactory(is_event_staff=True)
400+
user = UserFactory(is_event_staff=False)
401401

402402
user_api_client = APIClient()
403403
user_api_client.force_authenticate(user=user)
@@ -427,7 +427,7 @@ def test_auditlog_access_logging(
427427
self,
428428
):
429429
PERSON_BATCH_COUNT = 2
430-
admin_user = UserFactory(is_staff=True)
430+
admin_user = UserFactory(is_event_staff=True)
431431
PersonFactory.create_batch(
432432
PERSON_BATCH_COUNT,
433433
)
@@ -458,8 +458,8 @@ def test_export_organisation_csv_data(self):
458458
person_1 = PersonFactory.create(organisations=[org1])
459459
person_2 = PersonFactory.create(organisations=[org2])
460460

461-
admin_user = UserFactory(is_staff=True)
462-
user = UserFactory(is_staff=False)
461+
admin_user = UserFactory(is_event_staff=True)
462+
user = UserFactory(is_event_staff=False)
463463

464464
user_api_client = APIClient()
465465
user_api_client.force_authenticate(user=user)
@@ -536,8 +536,8 @@ def test_export_enrolment_csv_data(self):
536536
study_group=StudyGroupFactory(group_size=2, amount_of_adult=1),
537537
)
538538

539-
admin_user = UserFactory(is_staff=True)
540-
user = UserFactory(is_staff=False)
539+
admin_user = UserFactory(is_event_staff=True)
540+
user = UserFactory(is_event_staff=False)
541541

542542
user_api_client = APIClient()
543543
user_api_client.force_authenticate(user=user)

reports/views/csv_api.py

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
from drf_spectacular.utils import extend_schema, OpenApiExample, OpenApiResponse
1313
from rest_framework import generics
1414
from rest_framework.authentication import SessionAuthentication
15-
from rest_framework.permissions import IsAdminUser
15+
from rest_framework.permissions import BasePermission
1616

1717
from common.utils import (
1818
get_client_ip,
@@ -33,6 +33,15 @@
3333
logger = logging.getLogger(__name__)
3434

3535

36+
class IsEventAdminUser(BasePermission):
37+
"""
38+
Allows access only to event admin users.
39+
"""
40+
41+
def has_permission(self, request, view):
42+
return bool(request.user and request.user.is_event_staff)
43+
44+
3645
class ExportReportCsvView(ExportReportViewMixin, generics.GenericAPIView):
3746
"""
3847
A generic API view that provides functionality to export model data as a CSV file.
@@ -49,7 +58,7 @@ class ExportReportCsvView(ExportReportViewMixin, generics.GenericAPIView):
4958
model = None
5059
serializer_class = None
5160
authentication_classes = [KultusApiTokenAuthentication, SessionAuthentication]
52-
permission_classes = [IsAdminUser]
61+
permission_classes = [IsEventAdminUser]
5362
csv_dialect = csv.excel
5463
csv_delimiter = ";"
5564

0 commit comments

Comments
 (0)