From 8582d13640a2d787cd4fe2ba688339aa8834d797 Mon Sep 17 00:00:00 2001 From: Matti Eiden Date: Tue, 19 Aug 2025 17:08:10 +0300 Subject: [PATCH] fix: csv endpoints incorrectly responding with 403 The logic for authenticating admin (staff) users was refactored previously. Along this users were migrated from using Django's is_staff to using a custom is_event_staff. The ExportReportCsvView was not updated to reflect this change, which resulted in admin users receiving 403 errors when attempting to download CSV files. refs: PT-1812, PT-1942 --- reports/tests/test_views.py | 14 +++++++------- reports/views/csv_api.py | 13 +++++++++++-- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/reports/tests/test_views.py b/reports/tests/test_views.py index 2960b660..a49e912c 100644 --- a/reports/tests/test_views.py +++ b/reports/tests/test_views.py @@ -396,8 +396,8 @@ def test_export_persons_csv_data( PERSONS_BATCH_COUNT = 2 person_1, person_2 = PersonFactory.create_batch(PERSONS_BATCH_COUNT) - admin_user = UserFactory(is_staff=True) - user = UserFactory(is_staff=False) + admin_user = UserFactory(is_event_staff=True) + user = UserFactory(is_event_staff=False) user_api_client = APIClient() user_api_client.force_authenticate(user=user) @@ -427,7 +427,7 @@ def test_auditlog_access_logging( self, ): PERSON_BATCH_COUNT = 2 - admin_user = UserFactory(is_staff=True) + admin_user = UserFactory(is_event_staff=True) PersonFactory.create_batch( PERSON_BATCH_COUNT, ) @@ -458,8 +458,8 @@ def test_export_organisation_csv_data(self): person_1 = PersonFactory.create(organisations=[org1]) person_2 = PersonFactory.create(organisations=[org2]) - admin_user = UserFactory(is_staff=True) - user = UserFactory(is_staff=False) + admin_user = UserFactory(is_event_staff=True) + user = UserFactory(is_event_staff=False) user_api_client = APIClient() user_api_client.force_authenticate(user=user) @@ -536,8 +536,8 @@ def test_export_enrolment_csv_data(self): study_group=StudyGroupFactory(group_size=2, amount_of_adult=1), ) - admin_user = UserFactory(is_staff=True) - user = UserFactory(is_staff=False) + admin_user = UserFactory(is_event_staff=True) + user = UserFactory(is_event_staff=False) user_api_client = APIClient() user_api_client.force_authenticate(user=user) diff --git a/reports/views/csv_api.py b/reports/views/csv_api.py index 77a56731..757620de 100644 --- a/reports/views/csv_api.py +++ b/reports/views/csv_api.py @@ -12,7 +12,7 @@ from drf_spectacular.utils import extend_schema, OpenApiExample, OpenApiResponse from rest_framework import generics from rest_framework.authentication import SessionAuthentication -from rest_framework.permissions import IsAdminUser +from rest_framework.permissions import BasePermission from common.utils import ( get_client_ip, @@ -33,6 +33,15 @@ logger = logging.getLogger(__name__) +class IsEventAdminUser(BasePermission): + """ + Allows access only to event admin users. + """ + + def has_permission(self, request, view): + return bool(request.user and request.user.is_event_staff) + + class ExportReportCsvView(ExportReportViewMixin, generics.GenericAPIView): """ A generic API view that provides functionality to export model data as a CSV file. @@ -49,7 +58,7 @@ class ExportReportCsvView(ExportReportViewMixin, generics.GenericAPIView): model = None serializer_class = None authentication_classes = [KultusApiTokenAuthentication, SessionAuthentication] - permission_classes = [IsAdminUser] + permission_classes = [IsEventAdminUser] csv_dialect = csv.excel csv_delimiter = ";"