Add ensure team member mixin to all shift actions

Author: zarya

src/teams/tests/test_shift_views.py

@@ -343,3 +343,32 @@ def test_team_shift_actions(self) -> None:
         rows = soup.select_one("table#main_table > tbody > tr:nth-of-type(1) td:nth-of-type(5)")
         matches = [s for s in rows if "Assign me" in str(s)]
         self.assertEqual(len(matches), 1, "team shift unassign failed")
+
+        # Test taking a shift as a user not on this team
+        self.client.force_login(self.users[3]) # User not on the NOC team
+        url = reverse(
+            "teams:shift_member_take",
+            kwargs={
+                "team_slug": team_shift_1.team.slug,
+                "camp_slug": self.camp.slug,
+                "pk": team_shift_1.pk,
+            },
+        )
+        response = self.client.get(
+            path=url,
+            follow=True
+        )
+        assert response.status_code == 200
+        soup = BeautifulSoup(content, "html.parser")
+        rows = soup.select("div.alert.alert-danger")
+        matches = [s for s in rows if "No thanks" in str(s)]
+        self.assertEqual(len(matches), 0, "team shift authorization failed")
+        response = self.client.post(
+            path=url,
+            follow=True,
+        )
+        assert response.status_code == 200
+        soup = BeautifulSoup(content, "html.parser")
+        rows = soup.select("div.alert.alert-danger")
+        matches = [s for s in rows if "No thanks" in str(s)]
+        self.assertEqual(len(matches), 0, "team shift authorization failed")

src/teams/views/mixins.py

@@ -33,6 +33,23 @@ def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         return super().dispatch(request, *args, **kwargs)
 
 
+class EnsureTeamMemberMixin:
+    """Use to make sure request.user has team member permission for the team specified by kwargs['team_slug']."""
+
+    def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Method to make sure request.user has team member permission for the team specified by kwargs['team_slug']."""
+        self.team = Team.objects.get(slug=kwargs["team_slug"], camp=self.camp)
+        if self.team.member_permission_set not in request.user.get_all_permissions():
+            messages.error(request, "No thanks")
+            return redirect(
+                "teams:general",
+                camp_slug=self.camp.slug,
+                team_slug=self.team.slug,
+            )
+
+        return super().dispatch(request, *args, **kwargs)
+
+
 class EnsureTeamMemberLeadMixin(SingleObjectMixin):
     """Use to make sure request.user has team lead permission for the team which TeamMember belongs to."""
 

src/teams/views/shifts.py

@@ -31,6 +31,7 @@
 from utils.mixins import IsTeamPermContextMixin
 
 from .mixins import EnsureTeamLeadMixin
+from .mixins import EnsureTeamMemberMixin 
 
 if TYPE_CHECKING:
     from django.db.models import QuerySet
@@ -312,7 +313,7 @@ def get_context_data(self, **kwargs) -> dict:
         return context
 
 
-class MemberTakesShift(LoginRequiredMixin, CampViewMixin, UpdateView):
+class MemberTakesShift(LoginRequiredMixin, CampViewMixin, EnsureTeamMemberMixin, UpdateView):
     """View for adding a user to a shift."""
     model = TeamShift
     fields = []
@@ -365,7 +366,7 @@ def form_valid(self, form: ModelForm[TeamShift]) -> HttpResponseRedirect:
         return HttpResponseRedirect(reverse("teams:shifts", kwargs=self.kwargs))
 
 
-class MemberDropsShift(LoginRequiredMixin, CampViewMixin, UpdateView):
+class MemberDropsShift(LoginRequiredMixin, CampViewMixin, EnsureTeamMemberMixin, UpdateView):
     model = TeamShift
     fields = []
     template_name = "team_shift_confirm_action.html"
@@ -394,7 +395,7 @@ def form_valid(self, form: ModelForm[TeamShift]) -> HttpResponseRedirect:
         return HttpResponseRedirect(reverse("teams:shifts", kwargs=self.kwargs))
 
 
-class MemberSellsShift(LoginRequiredMixin, CampViewMixin, UpdateView):
+class MemberSellsShift(LoginRequiredMixin, CampViewMixin, EnsureTeamMemberMixin, UpdateView):
     """View for making a shift available for other user to take."""
     model = TeamShift
     fields = []