diff --git a/atlas/templates/atlas/base.html b/atlas/templates/atlas/base.html index 891a6ab5..c8974c6f 100755 --- a/atlas/templates/atlas/base.html +++ b/atlas/templates/atlas/base.html @@ -145,11 +145,9 @@ - {% if request.user.is_staff %} - {% endif %} diff --git a/atlas/templates/atlas/multiuser_dashboard.html b/atlas/templates/atlas/multiuser_dashboard.html index 6e00666f..425a94f4 100644 --- a/atlas/templates/atlas/multiuser_dashboard.html +++ b/atlas/templates/atlas/multiuser_dashboard.html @@ -15,6 +15,7 @@
+ {% if request.user.is_staff %}
@@ -34,9 +35,11 @@
+ {% endif %} -
+
+ {% if request.user.is_staff %}
@@ -88,6 +91,7 @@ {% endif %}
+ {% endif %}
diff --git a/atlas/tests/test_multiuser.py b/atlas/tests/test_multiuser.py index 00e0f5be..2dd5e026 100644 --- a/atlas/tests/test_multiuser.py +++ b/atlas/tests/test_multiuser.py @@ -1,5 +1,6 @@ import pytest from django.urls import reverse +from django.contrib.auth import get_user_model from atlas.models import Case, MultiuserSession from pytest_django.asserts import assertContains, assertRedirects @@ -21,11 +22,14 @@ def test_multiuser_dashboard_view_anonymous_redirect(client): assertRedirects(response, f"{reverse('login')}?next={reverse('atlas:multiuser_dashboard')}") @pytest.mark.django_db -def test_multiuser_dashboard_lists_sessions(client, create_user): +def test_multiuser_dashboard_lists_sessions_staff(client, create_user): user = create_user + user.is_staff = True + user.save() session1 = MultiuserSession.objects.create(name="User Session 1", creator=user) - other_user = create_user + User = get_user_model() + other_user = User.objects.create_user(username="other", password="password", email="other@test.com") session2 = MultiuserSession.objects.create(name="Other Session 2", creator=other_user) client.force_login(user) @@ -35,18 +39,46 @@ def test_multiuser_dashboard_lists_sessions(client, create_user): assertContains(response, "Other Session 2") assertContains(response, "Start New Session") +@pytest.mark.django_db +def test_multiuser_dashboard_lists_sessions_non_staff(client, create_user): + user = create_user + + User = get_user_model() + other_user = User.objects.create_user(username="other", password="password", email="other@test.com") + other_user.is_staff = True + other_user.save() + session2 = MultiuserSession.objects.create(name="Other Session 2", creator=other_user) + + client.force_login(user) + response = client.get(reverse("atlas:multiuser_dashboard")) + assert response.status_code == 200 + assertContains(response, "Other Session 2") + assert "Start New Session" not in response.content.decode("utf-8") + assert "Sessions You Managed" not in response.content.decode("utf-8") + @pytest.mark.django_db def test_multiuser_create_session_action(client, create_user): - client.force_login(create_user) + user = create_user + user.is_staff = True + user.save() + client.force_login(user) response = client.post(reverse("atlas:multiuser_create_session"), data={"name": "My New Session"}) session = MultiuserSession.objects.get(name="My New Session") assertRedirects(response, reverse("atlas:multiuser_session_detail", kwargs={"session_id": session.id})) @pytest.mark.django_db -def test_multiuser_session_detail_manager_vs_participant(client, create_user): - manager = create_user - participant = create_user +def test_multiuser_create_session_action_non_staff_denied(client, create_user): + user = create_user + client.force_login(user) + response = client.post(reverse("atlas:multiuser_create_session"), data={"name": "Denied Session"}) + assert response.status_code == 302 # Redirected to admin login page because of @staff_member_required + +@pytest.mark.django_db +def test_multiuser_session_detail_manager_vs_participant(client): + User = get_user_model() + manager = User.objects.create_user(username="manager", password="password", email="manager@test.com") + participant = User.objects.create_user(username="participant", password="password", email="participant@test.com") session = MultiuserSession.objects.create(name="Collaboration Session", creator=manager) # Manager view @@ -64,9 +96,10 @@ def test_multiuser_session_detail_manager_vs_participant(client, create_user): assertContains(response, "You are viewing this session in real-time") @pytest.mark.django_db -def test_multiuser_search_cases_permission(client, create_user): - manager = create_user - participant = create_user +def test_multiuser_search_cases_permission(client): + User = get_user_model() + manager = User.objects.create_user(username="manager", password="password", email="manager@test.com") + participant = User.objects.create_user(username="participant", password="password", email="participant@test.com") session = MultiuserSession.objects.create(name="Search Session", creator=manager) # Participant cannot search @@ -80,9 +113,10 @@ def test_multiuser_search_cases_permission(client, create_user): assert response.status_code == 200 @pytest.mark.django_db -def test_multiuser_load_case_action(client, create_user, make_case): - manager = create_user - participant = create_user +def test_multiuser_load_case_action(client, make_case): + User = get_user_model() + manager = User.objects.create_user(username="manager", password="password", email="manager@test.com") + participant = User.objects.create_user(username="participant", password="password", email="participant@test.com") session = MultiuserSession.objects.create(name="Load Case Session", creator=manager) case = make_case(title="Multiuser Dicom Case") diff --git a/atlas/views.py b/atlas/views.py index b28e7d4d..9562ffbf 100755 --- a/atlas/views.py +++ b/atlas/views.py @@ -10480,7 +10480,7 @@ def collection_case_displaysetup(request, collection_id, case_number=None, case_ }) -@staff_member_required +@login_required def multiuser_dashboard(request): import datetime from django.utils import timezone @@ -10505,7 +10505,7 @@ def multiuser_create_session(request): return redirect("atlas:multiuser_session_detail", session_id=session.id) -@staff_member_required +@login_required def multiuser_session_detail(request, session_id): session = get_object_or_404(MultiuserSession, id=session_id) is_manager = (request.user == session.creator) @@ -10517,7 +10517,7 @@ def multiuser_session_detail(request, session_id): }) -@staff_member_required +@login_required def multiuser_search_cases(request, session_id): from django.http import HttpResponseForbidden session = get_object_or_404(MultiuserSession, id=session_id) @@ -10537,7 +10537,7 @@ def multiuser_search_cases(request, session_id): }) -@staff_member_required +@login_required def multiuser_case_content_partial(request, session_id): session = get_object_or_404(MultiuserSession, id=session_id) case = session.active_case @@ -10558,7 +10558,7 @@ def multiuser_case_content_partial(request, session_id): }) -@staff_member_required +@login_required @require_POST def multiuser_load_case(request, session_id): from django.http import HttpResponseForbidden diff --git a/rad/settings_test.py b/rad/settings_test.py index 34f92cf2..27f8e4fc 100644 --- a/rad/settings_test.py +++ b/rad/settings_test.py @@ -8,7 +8,7 @@ DEBUG = False # Local Postgres defaults align with docker-compose.test.yml. DATABASES["default"] = { - "ENGINE": "django.db.backends.postgresql", + "ENGINE": os.environ.get("TEST_DB_ENGINE", "django.db.backends.postgresql"), "NAME": os.environ.get("TEST_DB_NAME", os.environ.get("POSTGRES_DB", "rad")), "USER": os.environ.get("TEST_DB_USER", os.environ.get("POSTGRES_USER", "django")), "PASSWORD": os.environ.get("TEST_DB_PASSWORD", os.environ.get("POSTGRES_PASSWORD", "postgres")),