Commits

Kai Diefenbach  committed c5db0c1

Protect all manage methods, which can reached from outside with permission 'core.manage_shop'. Added test to check this.

  • Participants
  • Parent commits c282037

Comments (0)

Files changed (24)

File lfs/core/tests.py

 
         self.assertEqual(currency(0.0, False), "USD 0.00")
         self.assertEqual(currency(1.0, False), "USD 1.00")
+
+
+class ManageURLsTestCase(TestCase):
+    def test_manage_urls_anonymous(self):
+        """Tests that all manage urls cannot accessed by anonymous user.
+        """
+        rf = RequestFactory()
+        request = rf.get("/")
+        request.user = AnonymousUser()
+
+        from lfs.manage.urls import urlpatterns
+        for url in urlpatterns:
+            result = url.callback(request)
+            self.failUnless(result["Location"].startswith("/login/?next=/"))

File lfs/manage/urls.py

 from django.conf.urls.defaults import *
 from django.views.generic.simple import direct_to_template
 
-urlpatterns = patterns('django.views.generic.simple',
-    (r'^products-new', 'direct_to_template', {'template': 'manage/new/product.html'}),
-)
-
 # General
-urlpatterns += patterns('lfs.manage.views',
+urlpatterns = patterns('lfs.manage.views',
     url(r'^$', "dashboard", name="lfs_manage_dashboard"),
 )
 

File lfs/manage/views/actions.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_action(request, id):
     """Deletes the action with passed id.
     """

File lfs/manage/views/carts.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def carts_inline(request, as_string=False, template_name="manage/cart/carts_inline.html"):
     """Displays carts overview.
     """
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def cart_inline(request, cart_id, as_string=False, template_name="manage/cart/cart_inline.html"):
     """Displays cart with provided cart id.
     """
         return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def selectable_carts_inline(request, cart_id=0, as_string=False,
     template_name="manage/cart/selectable_carts_inline.html"):
     """Display selectable carts.
         return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_cart_filters(request):
     """Sets cart filters given by passed request.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_cart_filters_date(request):
     """Sets the date filter by given short cut link
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_cart_filters(request):
     """Resets all cart filters.
     """

File lfs/manage/views/categories/category.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_category(request, id):
     """Deletes category with given id.
     """

File lfs/manage/views/customer.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def customer_inline(request, customer_id, as_string=False, template_name="manage/customer/customer_inline.html"):
     """Displays customer with provided customer id.
     """
         return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def selectable_customers_inline(request, customer_id=0, as_string=False,
     template_name="manage/customer/selectable_customers_inline.html"):
     """Display selectable customers.
         return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_ordering(request, ordering):
     """Sets customer ordering given by passed request.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_customer_filters(request):
     """Sets customer filters given by passed request.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_customer_filters(request):
     """Resets all customer filters.
     """

File lfs/manage/views/delivery_times.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_delivery_time(request, id):
     """Deletes the delivery time with passed id.
     """

File lfs/manage/views/discounts.py

     )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_discount(request, id):
     """Deletes discount with passed id.
     """

File lfs/manage/views/export.py

         exclude = ("products", )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def manage_export(request, export_id, template_name="manage/export/export.html"):
     """The main view to display exports.
     """
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def export_inline(request, export_id, category_id,
     template_name="manage/export/export_inline.html"):
     """Returns categories and products for given export id and category id.
         simplejson.dumps({"html": html}))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_export(request, template_name="manage/export/add_export.html"):
     """Form and logic to add a export.
     """
 
 
 # Actions
+@permission_required("core.manage_shop", login_url="/login/")
 def export_dispatcher(request):
     """Dispatches to the first export or to the add form.
     """
             reverse("lfs_export", kwargs={"export_id": export.id}))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_export(request, export_id):
     """Deletes export with passed export id.
     """
     return HttpResponseRedirect(reverse("lfs_export_dispatcher"))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_category(request, export_id, category_id):
     """Adds/Removes products of given category to given export.
     """
     return HttpResponse("")
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_product(request, export_id, product_id):
     """Adds/Removes given product to given export.
     """
     return HttpResponse("")
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def export(request, slug):
     """Exports the export with passed export id.
     """
     return getattr(module, export.script.method)(request, export)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def category_state(request, export_id, category_id):
     """Sets the state (klass and checking) for given category for given
     export.
     )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def update_category_variants_option(request, export_id, category_id):
     """Stores / deletes options for the variants handling of category with
     given id.
     return HttpResponse("")
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def update_data(request, export_id):
     """Updates data of export with given export id.
     """

File lfs/manage/views/lfs_portlets.py

             pass
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_portlet(request, portletassignment_id):
     """Deletes a portlet for given portlet assignment.
     """

File lfs/manage/views/manufacturer.py

         model = Manufacturer
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def manage_manufacturer(request, manufacturer_id, template_name="manage/manufacturer/manufacturer.html"):
     """The main view to display manufacturers.
     """
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def manufacturer_inline(request, manufacturer_id, category_id,
     template_name="manage/manufacturer/manufacturer_inline.html"):
     """Returns categories and products for given manufacturer id and category id.
         simplejson.dumps({"html": html}))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_manufacturer(request, template_name="manage/manufacturer/add_manufacturer.html"):
     """Form and logic to add a manufacturer.
     """
 
 
 # Actions
+@permission_required("core.manage_shop", login_url="/login/")
 def manufacturer_dispatcher(request):
     """Dispatches to the first manufacturer or to the add form.
     """
             reverse("lfs_manufacturer", kwargs={"manufacturer_id": manufacturer.id}))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_manufacturer(request, manufacturer_id):
     """Deletes Manufacturer with passed manufacturer id.
     """
     return HttpResponseRedirect(reverse("lfs_manufacturer_dispatcher"))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_category(request, manufacturer_id, category_id):
     """Adds/Removes products of given category to given manufacturer.
     """
     return HttpResponse("")
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_product(request, manufacturer_id, product_id):
     """Adds/Removes given product to given manufacturer.
     """
     return HttpResponse("")
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def category_state(request, manufacturer_id, category_id):
     """Sets the state (klass and checking) for given category for given
     manufacturer.
     )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def update_data(request, manufacturer_id):
     """Updates data of manufacturer with given manufacturer id.
     """

File lfs/manage/views/orders.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def orders_inline(request, as_string=False, template_name="manage/order/orders_inline.html"):
     """Displays the orders. This is factored out in order to reload it via
     ajax request.
         return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_order_filters(request):
     """Sets order filters given by passed request.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_order_filters_date(request):
     """Sets the date filter by given short cut link
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_order_filters(request):
     """resets order filter.
     """
 
 
 # Actions
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_order(request, order_id):
     """Deletes order with provided order id.
     """
     )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def change_order_state(request):
     """Changes the state of an order, given by request post variables.
     """

File lfs/manage/views/page.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_page(request, id):
     """Deletes the page with passed id.
     """

File lfs/manage/views/payment.py

     )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_payment_method(request, payment_method_id):
     """Deletes payment method with passed payment id.
 

File lfs/manage/views/product/product.py

 
 
 # Actions
+@permission_required("core.manage_shop", login_url="/login/")
 def add_product(request, template_name="manage/product/add_product.html"):
     """Shows a simplified product form and adds a new product.
     """
     )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_product(request, product_id):
     """Deletes product with passed id.
     """
     return HttpResponseRedirect(url)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def edit_product_data(request, product_id, template_name="manage/product/data.html"):
     """Edits the product with given.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def save_products(request):
     """Saves products with passed ids (by request body).
     """

File lfs/manage/views/product/properties.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def update_property_groups(request, product_id):
     """Updates property groups for the product with passed id.
     """
     return HttpResponseRedirect(url)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def update_properties(request, product_id):
     """Updates properties for product with passed id.
     """

File lfs/manage/views/properties.py

       }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def update_property_type(request, id):
     """Updates the type of the property.
 
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
 def save_select_field(request, property_id):
     """Saves the data of a property select field.
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def save_number_field_validators(request, property_id):
     """Saves the validators for the property with passed property_id.
     """
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def save_step_range(request, property_id):
     """Save the steps of the property with given id.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def save_step_type(request, property_id):
     """Save the step type of the property with given id.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def add_step(request, property_id):
     """Adds a step to property with passed property id resp. updates steps of
     property with passed property id dependent on the given action parameter.
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_property(request, id):
     """Deletes the property with given id.
     """
     return HttpResponseRedirect(url)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def add_option(request, property_id):
     """Adds option to property with passed property id.
     """

File lfs/manage/views/property_groups/property_groups.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_property_group(request, id):
     """Deletes the property group with passed id.
     """

File lfs/manage/views/review.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def review_inline(request, review_id, as_string=False, template_name="manage/reviews/review_inline.html"):
     """Displays review with provided review id.
     """
         return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def selectable_reviews_inline(request, review_id=0, as_string=False,
     template_name="manage/reviews/selectable_reviews_inline.html"):
     """Display selectable reviews.
         return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_ordering(request, ordering):
     """Sets review ordering given by passed request.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_review_filters(request):
     """Sets review filters given by passed request.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_review_filters(request):
     """Resets all review filters.
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_review(request, review_id):
     """Deletes review with passed review id.
     """
         reverse("lfs_manage_reviews"), _(u"Review has been deleted."))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_state(request, review_id):
     """Sets the state for given review.
     """

File lfs/manage/views/shipping.py

     )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_shipping_method(request, shipping_method_id):
     """Deletes shipping method with passed shipping id.
 

File lfs/manage/views/shop.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_default_values(request):
     """Saves the default value part
     """

File lfs/manage/views/static_blocks.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def update_files(request, id):
     """
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reload_files(request, id):
     """
     """
     return HttpResponse(result)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_files(request, id):
     """Adds files to static block with passed id.
     """
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_static_block(request, id):
     """Deletes static block with passed id.
     """

File lfs/manage/views/tax.py

     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_tax(request, id):
     """Deletes tax with passed id.
     """

File lfs/manage/views/voucher.py

 
 
 # Parts
+@permission_required("core.manage_shop", login_url="/login/")
 def voucher_group(request, id, template_name="manage/voucher/voucher_group.html"):
     """Main view to display a voucher group.
     """
         simplejson.dumps({"html": html}, cls=LazyEncoder))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def manage_vouchers(request):
     """Redirects to the first voucher group or to the add voucher form.
     """
     return HttpResponseRedirect(url)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_vouchers(request, group_id):
     """
     """
         msg)
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_vouchers(request, group_id):
     """Deletes checked vouchers.
     """
         _(u"Vouchers have been deleted."))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_voucher_group(request, template_name="manage/voucher/add_voucher_group.html"):
     """Adds a voucher group
     """
     }))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_voucher_group_data(request, id):
     """Saves the data of the voucher group with passed id.
     """
         _(u"Voucher data has been save."))
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 @require_POST
-@permission_required("core.manage_shop", login_url="/login/")
 def delete_voucher_group(request, id):
     """Deletes voucher group with given id and all assigned vouchers.
     """
         )
 
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_voucher_options(request):
     """Saves voucher options.
     """