events authorization check

bugsink/decorators.py

@@ -5,6 +5,7 @@ from django.core.exceptions import PermissionDenied
 
 from projects.models import Project
 from issues.models import Issue
+from events.models import Event
 
 
 def login_exempt(view):
@@ -38,3 +39,17 @@ def issue_membership_required(function):
         raise PermissionDenied("You don't have permission to access this project")
 
     return wrapper
+
+
+def event_membership_required(function):
+    @wraps(function)
+    def wrapper(request, *args, **kwargs):
+        event_pk = kwargs.pop("event_pk")
+        event = get_object_or_404(Event, pk=event_pk)
+        kwargs["event"] = event
+        if event.project.users.filter(pk=request.user.pk).exists():
+            return function(request, *args, **kwargs)
+
+        raise PermissionDenied("You don't have permission to access this project")
+
+    return wrapper

events/tests.py

@@ -1,3 +1,31 @@
 from django.test import TestCase
+from django.contrib.auth.models import User
+from projects.models import Project, ProjectMembership
+from issues.models import Issue
+from issues.factories import denormalized_issue_fields
 
-# Create your tests here.
+from .factories import create_event
+
+
+class ViewTests(TestCase):
+    # we start with minimal "does this show something and not fully crash" tests and will expand from there.
+
+    def setUp(self):
+        self.user = User.objects.create_user(username='test', password='test')
+        self.project = Project.objects.create()
+        ProjectMembership.objects.create(project=self.project, user=self.user)
+        self.issue = Issue.objects.create(project=self.project, **denormalized_issue_fields())
+        self.event = create_event(self.project, self.issue)
+        self.client.force_login(self.user)
+
+    def test_event_download(self):
+        response = self.client.get(f"/events/event/{self.event.pk}/download/")
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response['Content-Type'], 'application/json')
+        self.assertTrue("platform" in response.json())
+
+    def test_event_raw(self):
+        response = self.client.get(f"/events/event/{self.event.pk}/raw/")
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response['Content-Type'], 'application/json')
+        self.assertTrue("platform" in response.json())

events/urls.py

@@ -5,7 +5,7 @@ from .views import event_download, debug_get_hash
 
 urlpatterns = [
     # path('event/<uuid:pk>/', event_detail),  perhaps should become a redirect to issue/.../event now?
-    path('event/<uuid:pk>/raw/', event_download, kwargs={"as_attachment": False}),
-    path('event/<uuid:pk>/download/', event_download, kwargs={"as_attachment": True}),
+    path('event/<uuid:event_pk>/raw/', event_download, kwargs={"as_attachment": False}),
+    path('event/<uuid:event_pk>/download/', event_download, kwargs={"as_attachment": True}),
     path('debug_get_hash/<uuid:event_pk>/', debug_get_hash),
 ]

events/views.py

@@ -1,19 +1,20 @@
 import json
 
-from django.shortcuts import render, get_object_or_404
+from django.shortcuts import get_object_or_404
 from django.http import HttpResponse
 from django.utils.http import content_disposition_header
 
-from issues.utils import get_hash_for_data, get_issue_grouper_for_data
+from issues.utils import get_hash_for_data
 
 from .models import Event
+from bugsink.decorators import event_membership_required
 
 
-def event_download(request, pk, as_attachment=False):
-    obj = get_object_or_404(Event, pk=pk)
-    result = HttpResponse(obj.data, content_type="application/json")
+@event_membership_required
+def event_download(request, event, as_attachment=False):
+    result = HttpResponse(event.data, content_type="application/json")
     result["Content-Disposition"] = content_disposition_header(
-        as_attachment=as_attachment, filename=obj.id.hex + ".json")
+        as_attachment=as_attachment, filename=event.id.hex + ".json")
     return result