+ {% if request.user.is_staff %}
+ {% endif %}
diff --git a/atlas/tests/test_multiuser.py b/atlas/tests/test_multiuser.py
index 00e0f5be..2dd5e026 100644
--- a/atlas/tests/test_multiuser.py
+++ b/atlas/tests/test_multiuser.py
@@ -1,5 +1,6 @@
import pytest
from django.urls import reverse
+from django.contrib.auth import get_user_model
from atlas.models import Case, MultiuserSession
from pytest_django.asserts import assertContains, assertRedirects
@@ -21,11 +22,14 @@ def test_multiuser_dashboard_view_anonymous_redirect(client):
assertRedirects(response, f"{reverse('login')}?next={reverse('atlas:multiuser_dashboard')}")
@pytest.mark.django_db
-def test_multiuser_dashboard_lists_sessions(client, create_user):
+def test_multiuser_dashboard_lists_sessions_staff(client, create_user):
user = create_user
+ user.is_staff = True
+ user.save()
session1 = MultiuserSession.objects.create(name="User Session 1", creator=user)
- other_user = create_user
+ User = get_user_model()
+ other_user = User.objects.create_user(username="other", password="password", email="other@test.com")
session2 = MultiuserSession.objects.create(name="Other Session 2", creator=other_user)
client.force_login(user)
@@ -35,18 +39,46 @@ def test_multiuser_dashboard_lists_sessions(client, create_user):
assertContains(response, "Other Session 2")
assertContains(response, "Start New Session")
+@pytest.mark.django_db
+def test_multiuser_dashboard_lists_sessions_non_staff(client, create_user):
+ user = create_user
+
+ User = get_user_model()
+ other_user = User.objects.create_user(username="other", password="password", email="other@test.com")
+ other_user.is_staff = True
+ other_user.save()
+ session2 = MultiuserSession.objects.create(name="Other Session 2", creator=other_user)
+
+ client.force_login(user)
+ response = client.get(reverse("atlas:multiuser_dashboard"))
+ assert response.status_code == 200
+ assertContains(response, "Other Session 2")
+ assert "Start New Session" not in response.content.decode("utf-8")
+ assert "Sessions You Managed" not in response.content.decode("utf-8")
+
@pytest.mark.django_db
def test_multiuser_create_session_action(client, create_user):
- client.force_login(create_user)
+ user = create_user
+ user.is_staff = True
+ user.save()
+ client.force_login(user)
response = client.post(reverse("atlas:multiuser_create_session"), data={"name": "My New Session"})
session = MultiuserSession.objects.get(name="My New Session")
assertRedirects(response, reverse("atlas:multiuser_session_detail", kwargs={"session_id": session.id}))
@pytest.mark.django_db
-def test_multiuser_session_detail_manager_vs_participant(client, create_user):
- manager = create_user
- participant = create_user
+def test_multiuser_create_session_action_non_staff_denied(client, create_user):
+ user = create_user
+ client.force_login(user)
+ response = client.post(reverse("atlas:multiuser_create_session"), data={"name": "Denied Session"})
+ assert response.status_code == 302 # Redirected to admin login page because of @staff_member_required
+
+@pytest.mark.django_db
+def test_multiuser_session_detail_manager_vs_participant(client):
+ User = get_user_model()
+ manager = User.objects.create_user(username="manager", password="password", email="manager@test.com")
+ participant = User.objects.create_user(username="participant", password="password", email="participant@test.com")
session = MultiuserSession.objects.create(name="Collaboration Session", creator=manager)
# Manager view
@@ -64,9 +96,10 @@ def test_multiuser_session_detail_manager_vs_participant(client, create_user):
assertContains(response, "You are viewing this session in real-time")
@pytest.mark.django_db
-def test_multiuser_search_cases_permission(client, create_user):
- manager = create_user
- participant = create_user
+def test_multiuser_search_cases_permission(client):
+ User = get_user_model()
+ manager = User.objects.create_user(username="manager", password="password", email="manager@test.com")
+ participant = User.objects.create_user(username="participant", password="password", email="participant@test.com")
session = MultiuserSession.objects.create(name="Search Session", creator=manager)
# Participant cannot search
@@ -80,9 +113,10 @@ def test_multiuser_search_cases_permission(client, create_user):
assert response.status_code == 200
@pytest.mark.django_db
-def test_multiuser_load_case_action(client, create_user, make_case):
- manager = create_user
- participant = create_user
+def test_multiuser_load_case_action(client, make_case):
+ User = get_user_model()
+ manager = User.objects.create_user(username="manager", password="password", email="manager@test.com")
+ participant = User.objects.create_user(username="participant", password="password", email="participant@test.com")
session = MultiuserSession.objects.create(name="Load Case Session", creator=manager)
case = make_case(title="Multiuser Dicom Case")
diff --git a/atlas/views.py b/atlas/views.py
index b28e7d4d..9562ffbf 100755
--- a/atlas/views.py
+++ b/atlas/views.py
@@ -10480,7 +10480,7 @@ def collection_case_displaysetup(request, collection_id, case_number=None, case_
})
-@staff_member_required
+@login_required
def multiuser_dashboard(request):
import datetime
from django.utils import timezone
@@ -10505,7 +10505,7 @@ def multiuser_create_session(request):
return redirect("atlas:multiuser_session_detail", session_id=session.id)
-@staff_member_required
+@login_required
def multiuser_session_detail(request, session_id):
session = get_object_or_404(MultiuserSession, id=session_id)
is_manager = (request.user == session.creator)
@@ -10517,7 +10517,7 @@ def multiuser_session_detail(request, session_id):
})
-@staff_member_required
+@login_required
def multiuser_search_cases(request, session_id):
from django.http import HttpResponseForbidden
session = get_object_or_404(MultiuserSession, id=session_id)
@@ -10537,7 +10537,7 @@ def multiuser_search_cases(request, session_id):
})
-@staff_member_required
+@login_required
def multiuser_case_content_partial(request, session_id):
session = get_object_or_404(MultiuserSession, id=session_id)
case = session.active_case
@@ -10558,7 +10558,7 @@ def multiuser_case_content_partial(request, session_id):
})
-@staff_member_required
+@login_required
@require_POST
def multiuser_load_case(request, session_id):
from django.http import HttpResponseForbidden
diff --git a/rad/settings_test.py b/rad/settings_test.py
index 34f92cf2..27f8e4fc 100644
--- a/rad/settings_test.py
+++ b/rad/settings_test.py
@@ -8,7 +8,7 @@ DEBUG = False
# Local Postgres defaults align with docker-compose.test.yml.
DATABASES["default"] = {
- "ENGINE": "django.db.backends.postgresql",
+ "ENGINE": os.environ.get("TEST_DB_ENGINE", "django.db.backends.postgresql"),
"NAME": os.environ.get("TEST_DB_NAME", os.environ.get("POSTGRES_DB", "rad")),
"USER": os.environ.get("TEST_DB_USER", os.environ.get("POSTGRES_USER", "django")),
"PASSWORD": os.environ.get("TEST_DB_PASSWORD", os.environ.get("POSTGRES_PASSWORD", "postgres")),