Protect actions behind user.is_authenticated

polobo · polobo · commit be4975391da6 · 2025-04-06T09:13:02.000-07:00
The idea of having actions visible and then redirect for authentication
is acceptable in general but the /patch view is now driven by the
role of the user viewing the page that it seems easier to simply show
no actions if the user is not authenticated and add a note just above
the action table indicating the read-only mode.

Add missing is_staff protection for the administrative actions form.

Just outright removing the key-value table if you are not logged in.
Don't want to edit it, want to get rid of it.
diff --git a/pgcommitfest/commitfest/templates/patch.html b/pgcommitfest/commitfest/templates/patch.html
@@ -1,7 +1,16 @@
 {%extends "base.html"%}
 {%load commitfest%}
 {%block contents%}
- {%include "patch_administrative.inc"%}
+ {%if user.is_staff %}
+  {%include "patch_administrative.inc"%}
+ {%endif%}
+
+ {%if not user.is_authenticated %}
+  <div>
+   Read-Only mode.  <a href="/account/login/?next={{request.path}}">Log in</a> to interact with this patch.
+  </div>
+ {%endif%}
+
  {%include "patch_workflow.inc"%}
 
  <div class="workflow">
@@ -18,7 +27,9 @@
       {%if patch.gitlink%}
        <a href="{{patch.gitlink}}">Git</a>
       {%endif%}
-      <a class="btn btn-default pull-right" href="edit/">Edit</a>
+      {%if user.is_authenticated %}
+       <a class="btn btn-default pull-right" href="edit/">Edit</a>
+      {%endif%}
      </td>
     </tr>
     <tr>
@@ -38,7 +49,9 @@
 
  <div>
   <button class="btn btn-default" data-toggle="collapse" data-target="#history-table">Toggle History Table</button>
-  <button class="btn btn-default" data-toggle="collapse" data-target="#keyvalue-table">Toggle Key-Value Table</button>
+  {%if user.is_authenticated %}
+   <button class="btn btn-default" data-toggle="collapse" data-target="#keyvalue-table">Toggle Key-Value Table</button>
+  {%endif%}
  </div>
 
  <div id="history-table" class="table table-bordered">
@@ -62,8 +75,9 @@ <h3>History</h3>
    </tbody>
   </table>
  </div>
-
+ {%if user.is_authenticated %}
 {%include "patch_table_keyvalue.inc"%}
+ {%endif%}
 
 {%comment%}commit dialog{%endcomment%}
  <div class="modal fade" id="commitModal" role="dialog">
diff --git a/pgcommitfest/commitfest/templates/patch_workflow.inc b/pgcommitfest/commitfest/templates/patch_workflow.inc
@@ -1,131 +1,145 @@
 {%load commitfest%}
 <div class="workflow">
  <table class="table table-bordered">
- <thead>
-  <tr>
-   <th>Assign To</th>
-   <th>Annotate</th>
-   <th>Resolve</th>
-   <th>Move To</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-  <!-- Change -->
-  <td>
-   {%if poc.status == poc.STATUS_AUTHOR %}
-    <a class="btn btn-default" href="status/review/">Reviewer</a>
-   {%endif%}
-   {%if poc.status == poc.STATUS_REVIEW or poc.status == poc.STATUS_COMMITTER %}
-    <a class="btn btn-default" href="status/author/">Author</a>
-   {%endif%}
-   {%if poc.status == poc.STATUS_REVIEW %}
-    <a class="btn btn-default" href="status/committer/">Committer</a>
-   {%endif%}
-  </td>
-  <!-- Annotate -->
-  <td>
-   <a class="btn btn-default" href="comment/">Comment</a>
-   <a class="btn btn-default" href="review/">Review</a>
-  </td>
-  <!-- Resolve -->
-  <td>
-   {%if is_committer or is_author %}
-    {%if is_committer %}
-     <a class="btn btn-default" href="close/committed/" onclick="return flagCommitted({%if patch.committer%}'{{patch.committer}}'{%elif is_committer%}'{{user.username}}'{%else%}null{%endif%})">Commit</a>
-     <a class="btn btn-default" href="close/reject/" onclick="return verify_reject()">Reject</a>
-    {%endif%}
-    {%if is_author %}
-     <a class="btn btn-default" href="close/withdrawn/" onclick="return verify_withdrawn()">Withdraw</a>
-    {%endif%}
-   {%else%}
-    <span>No Actions Available</span>
-   {%endif%}
-  </td>
-  <!-- Move -->
-  <td>
-   {%if not cf.isfuture and workflow.future %}
-    {%if True %}
-     <a class="btn btn-default"
-      href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.future.id}}">
-     {{workflow.future.name}}</a>
-    {%endif%}
-   {%endif%}
+  {%if user.is_authenticated %}
+   <thead>
+    <tr>
+     <th>Assign To</th>
+     <th>Annotate</th>
+     <th>Resolve</th>
+     <th>Move To</th>
+    </tr>
+   </thead>
+   <tbody>
+    <tr>
+    <!-- Change -->
+    <td>
+     {%if poc.status == poc.STATUS_AUTHOR %}
+      <a class="btn btn-default" href="status/review/">Reviewer</a>
+     {%endif%}
+     {%if poc.status == poc.STATUS_REVIEW or poc.status == poc.STATUS_COMMITTER %}
+      <a class="btn btn-default" href="status/author/">Author</a>
+     {%endif%}
+     {%if poc.status == poc.STATUS_REVIEW %}
+      <a class="btn btn-default" href="status/committer/">Committer</a>
+     {%endif%}
+    </td>
+    <!-- Annotate -->
+    <td>
+     <a class="btn btn-default" href="comment/">Comment</a>
+     <a class="btn btn-default" href="review/">Review</a>
+    </td>
+    <!-- Resolve -->
+    <td>
+     {%if is_committer or is_author %}
+      {%if is_committer %}
+       <a class="btn btn-default" href="close/committed/" onclick="return flagCommitted({%if patch.committer%}'{{patch.committer}}'{%elif is_committer%}'{{user.username}}'{%else%}null{%endif%})">Commit</a>
+       <a class="btn btn-default" href="close/reject/" onclick="return verify_reject()">Reject</a>
+      {%endif%}
+      {%if is_author %}
+       <a class="btn btn-default" href="close/withdrawn/" onclick="return verify_withdrawn()">Withdraw</a>
+      {%endif%}
+     {%else%}
+      <span>No Actions Available</span>
+     {%endif%}
+    </td>
+    <!-- Move -->
+    <td>
+     {%if not cf.isfuture and workflow.future %}
+      {%if True %}
+       <a class="btn btn-default"
+        href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.future.id}}">
+       {{workflow.future.name}}</a>
+      {%endif%}
+     {%endif%}
 
-   {%if not cf.isopen and workflow.open %}
-    {%if is_committer %}
-     <a class="btn btn-default"
-      href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.open.id}}">
-     {{workflow.open.name}}</a>
-    {%endif%}
-   {%endif%}
+     {%if not cf.isopen and workflow.open %}
+      {%if is_committer %}
+       <a class="btn btn-default"
+        href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.open.id}}">
+       {{workflow.open.name}}</a>
+      {%endif%}
+     {%endif%}
 
-   {%if not cf.isinprogress and workflow.progress %}
-    {%if is_committer %}
-     <a class="btn btn-default"
-      href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.progress.id}}">
-     {{workflow.progress.name}}</a>
-    {%endif%}
-   {%endif%}
+     {%if not cf.isinprogress and workflow.progress %}
+      {%if is_committer %}
+       <a class="btn btn-default"
+        href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.progress.id}}">
+       {{workflow.progress.name}}</a>
+      {%endif%}
+     {%endif%}
 
-   {%if not cf.isparked and workflow.parked %}
-    {%if is_author %}
-     <a class="btn btn-default"
-      href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.parked.id}}">
-     {{workflow.parked.name}}</a>
-    {%endif%}
-   {%endif%}
-
-  </td>
-  </tr>
+     {%if not cf.isparked and workflow.parked %}
+      {%if is_author %}
+       <a class="btn btn-default"
+        href="transition/?fromcfid={{poc.commitfest.id}}&tocfid={{workflow.parked.id}}">
+       {{workflow.parked.name}}</a>
+      {%endif%}
+     {%endif%}
 
-  <tr>
-   <th>Author(s)</th>
-   <th>Reviewer(s)</th>
-   <th>Committer</th>
-   <th>Status</th>
-  </tr>
-
-  <tr>
-  <!-- Change -->
-  <td>
-   {%for author in authors %}
-    <div>{{author.first_name}} {{author.last_name}}</div>
-   {%endfor%}
-   {%if is_author or is_committer %}
-    <a class="btn btn-default " href="edit/">Edit Authors</a>
-   {%endif%}
-  </td>
-  <!-- Annotate -->
-  <td>
-   {%for reviewer in reviewers %}
-    <div>{{reviewer.first_name}} {{reviewer.last_name}}</div>
-   {%endfor%}
-   <div><a href="reviewer/{{is_reviewer|yesno:"remove,become"}}/" class="btn btn-default">{{is_reviewer|yesno:"Remove from reviewers,Become reviewer"}}</a></div>
-  </td>
-  <!-- Resolve -->
-  <td>
-   {%if patch.committer%}<div>{{patch.committer.fullname}}</div>{%endif%}
-   {%if is_committer%}<div><a href="committer/{{is_this_committer|yesno:"remove,become"}}/" class="btn btn-default">{{is_this_committer|yesno:"Unclaim as committer,Claim as committer"}}</a></div>{%endif%}
-  </td>
-  <!-- Move -->
-  <td>
-   <div>
-    <span class="label label-{{poc.commitfest.status|patchstatuslabel}}">{{poc.commitfest.statusstring}}</span>
-    <span class="label label-{{poc.status|patchstatuslabel}}">{{poc.statusstring}}</span>
-    <span><a href="edit/">Version</a>: </span> <span class="label label-default">{%if patch.targetversion%}{{patch.targetversion}}{%else%}N/A{%endif%}</span>
-    {%if user.is_authenticated%}
-     <span class="pull-right">Updates: <a href="{{is_subscribed|yesno:"unsubscribe,subscribe"}}/" class="btn btn-default">{{is_subscribed|yesno:"Unsubscribe,Subscribe"}}</a></span>
+    </td>
+    </tr>
+   </tbody>
+  {%endif%}
+  <thead>
+   <tr>
+    <th>Author(s)</th>
+    <th>Reviewer(s)</th>
+    <th>Committer</th>
+    <th>Status</th>
+   </tr>
+  </thead>
+  <tbody>
+   <tr>
+   <!-- Change -->
+   <td>
+    {%for author in authors %}
+     <div>{{author.first_name}} {{author.last_name}}</div>
+    {%endfor%}
+    {%if is_author or is_committer %}
+     <a class="btn btn-default " href="edit/">Edit Authors</a>
+    {%endif%}
+   </td>
+   <!-- Annotate -->
+   <td>
+    {%for reviewer in reviewers %}
+     <div>{{reviewer.first_name}} {{reviewer.last_name}}</div>
+    {%endfor%}
+    {%if user.is_authenticated %}
+     <div><a href="reviewer/{{is_reviewer|yesno:"remove,become"}}/" class="btn btn-default">{{is_reviewer|yesno:"Remove from reviewers,Become reviewer"}}</a></div>
     {%endif%}
-   </div>
-   <div>
-    <span><a href="edit/">Topic</a>: </span></span> <span>{{ patch.topic }}</span>
-   </div>
-   <div>
-    <span>Last Modified:</span> <span>{{patch.modified}} ({% cfwhen patch.modified %})</span>
-   </div>
-  </td>
-  </tr>
- </tbody>
+   </td>
+   <!-- Resolve -->
+   <td>
+    {%if patch.committer%}<div>{{patch.committer.fullname}}</div>{%endif%}
+    {%if is_committer%}<div><a href="committer/{{is_this_committer|yesno:"remove,become"}}/" class="btn btn-default">{{is_this_committer|yesno:"Unclaim as committer,Claim as committer"}}</a></div>{%endif%}
+   </td>
+   <!-- Move -->
+   <td>
+    <div>
+     <span class="label label-{{poc.commitfest.status|patchstatuslabel}}">{{poc.commitfest.statusstring}}</span>
+     <span class="label label-{{poc.status|patchstatuslabel}}">{{poc.statusstring}}</span>
+     <span>
+      {%if user.is_authenticated%}<a href="edit/">{%endif%}
+      Version{%if user.is_authenticated%}</a>{%endif%}:
+     </span>
+     <span class="label label-default">{%if patch.targetversion%}{{patch.targetversion}}{%else%}N/A{%endif%}</span>
+     {%if user.is_authenticated %}
+      <span class="pull-right">Updates: <a href="{{is_subscribed|yesno:"unsubscribe,subscribe"}}/" class="btn btn-default">{{is_subscribed|yesno:"Unsubscribe,Subscribe"}}</a></span>
+     {%endif%}
+    </div>
+    <div>
+     <span>
+      {%if user.is_authenticated%}<a href="edit/">{%endif%}
+      Topic{%if user.is_authenticated%}</a>{%endif%}:
+     </span>
+     <span>{{ patch.topic }}</span>
+    </div>
+    <div>
+     <span>Last Modified:</span> <span>{{patch.modified}} ({% cfwhen patch.modified %})</span>
+    </div>
+   </td>
+   </tr>
+  </tbody>
  </table>
 </div>
