Restrict access of the "Distributing" page

Make it available only to the administrators, owners and members of the team.
gratipay · Aug 3, 2016 · d39d411 · d39d411
1 parent c0cf218
commit d39d411
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/tests/py/test_team_takes.py b/tests/py/test_team_takes.py
@@ -22,9 +22,16 @@ def setUp(self):
                                             , verified_in='US'
                                              )
 
-
 class Tests(TeamTakesHarness):
 
+    def test_distributing_page_access_is_restricted(self):
+        admin = self.make_participant('admin', is_admin=True)
+
+        assert self.client.GxT(self.enterprise.slug+'/distributing/')
+        assert self.client.GxT(self.enterprise.slug+'/distributing/', auth_as='bruiser')
+        assert self.client.GET(self.enterprise.slug+'/distributing/', auth_as='picard')
+        assert self.client.GET(self.enterprise.slug+'/distributing/', auth_as='admin')
+
     # gtf - get_take_for
 
     def test_gtf_returns_zero_for_unknown(self):

diff --git a/www/%team/distributing/index.html.spt b/www/%team/distributing/index.html.spt
@@ -1,10 +1,19 @@
 # encoding: utf8
+
+from aspen import Response
 from gratipay.utils import get_team
 
 [-----------------------------------------------------------------------------]
 team = get_team(state)
 if team.available == 0:
     website.redirect('..', base_url='')
+
+if user.participant == None:
+    raise Response(401)
+
+if not (user.ADMIN or user.participant.member_of(team) or user.participant.username == team.owner):
+    raise Response(403)
+
 title = _("Team Members")
 
 [-----------------------------------------------------------------------------]