Disable User petition with setting (#237)

* feat - Add filtering on new DISABLE_USER_PETITION setting

* test
- Test users can't access user petition
- Test users can still access org petition

* test - check no error message
* misc - Document DISABLE_USER_PETITION setting

* feat - Disable petition transfer from org to user

Author: martinlehoux

doc/configuration.rst

@@ -50,4 +50,5 @@ Those are things you can configure to customize your Pytition instance:
 
 .. autodata:: pytition.settings.base.SITE_NAME
 .. autodata:: pytition.settings.base.FOOTER_TEMPLATE
+.. autodata:: pytition.settings.base.DISABLE_USER_PETITION
 .. autodata:: pytition.settings.base.RESTRICT_ORG_CREATION

pytition/petition/tests/tests_PetitionCreationWizard.py

@@ -1,6 +1,7 @@
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.urls import reverse
 from django.contrib.auth import get_user_model
+from django.contrib.messages import get_messages
 
 from petition.models import Organization, Petition, PytitionUser, Permission
 
@@ -75,3 +76,20 @@ def test_call_page2_ok(self):
         org = Organization.objects.get(name='Les Amis de la Terre')
         response = self.client.get(reverse("user_petition_wizard"))
         self.assertEqual(response.status_code, 200)
+
+    @override_settings(DISABLE_USER_PETITION=True)
+    def test_user_petition_disabled(self):
+        self.login("julia")
+        response = self.client.get(reverse("user_petition_wizard"))
+        self.assertRedirects(response, reverse("user_dashboard"))
+        response = self.client.get(reverse("user_petition_wizard"), follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "Users are not allowed to create their own petitions.")
+
+    @override_settings(DISABLE_USER_PETITION=True)
+    def test_org_petition_still_working(self):
+        self.login("julia")
+        org = Organization.objects.get(name='Les Amis de la Terre')
+        response = self.client.get(reverse("org_petition_wizard", args=[org.slugname]))
+        self.assertEqual(response.status_code, 200)
+        self.assertNotContains(response, "Users are not allowed to create their own petitions.")

pytition/petition/tests/tests_PetitionTransfer.py

@@ -0,0 +1,99 @@
+from django.test import TestCase, override_settings
+from django.urls import reverse
+from django.contrib.auth import get_user_model
+from django.contrib.messages import get_messages
+
+from petition.models import Organization, Petition, PytitionUser, Permission
+
+
+users = ['julia', 'john', 'max', 'sarah']
+orgs = ['RAP', 'Greenpeace', 'Attac', 'Les Amis de la Terre']
+
+org_members = {
+    'RAP': ['julia'],
+    'Les Amis de la Terre': ['julia', 'max'],
+    'Attac': ['john'],
+}
+
+
+class PetitionCreateWizardViewTest(TestCase):
+    """Test PetitionCreateWizard view"""
+    @classmethod
+    def setUpTestData(cls):
+        User = get_user_model()
+        for org in orgs:
+            o = Organization.objects.create(name=org)
+            o.save()
+        for user in users:
+            u = User.objects.create_user(user, password=user)
+            u.first_name = user
+            u.last_name = user + "Last"
+            u.save()
+        for orgname in org_members:
+            org = Organization.objects.get(name=orgname)
+            for username in org_members[orgname]:
+                user = PytitionUser.objects.get(user__username=username)
+                org.members.add(user)
+                permission = Permission.objects.get(organization=org, user=user)
+                permission.can_modify_permissions=True
+                permission.save()
+
+        # give julia can_modify_petitions permission on "Les Amis de la Terre" organization
+        user = PytitionUser.objects.get(user__username='julia')
+        org = Organization.objects.get(name="Les Amis de la Terre")
+        perm = Permission.objects.get(organization=org, user=user)
+        perm.can_modify_petitions = True
+        perm.save()
+
+    def login(self, name, password=None):
+        self.client.login(username=name, password=password if password else name)
+        self.pu = PytitionUser.objects.get(user__username=name)
+        return self.pu
+
+    def logout(self):
+        self.client.logout()
+
+    def test_model_transfer_method(self):
+        org = Organization.objects.get(name="Les Amis de la Terre")
+        user = PytitionUser.objects.get(user__username="julia")
+
+        user_petition = Petition.objects.create(title="Petition 1", user=user)
+        self.assertEqual(user_petition.user, user)
+        self.assertEqual(user_petition.org, None)
+
+        user_petition.transfer_to(org=org)
+        self.assertEqual(user_petition.user, None)
+        self.assertEqual(user_petition.org, org)
+
+        user_petition.transfer_to(user=user)
+        self.assertEqual(user_petition.user, user)
+        self.assertEqual(user_petition.org, None)
+
+        with self.assertRaises(ValueError):
+            user_petition.transfer_to()
+            user_petition.transfer_to(org=org, user=user)
+
+    def test_transfer_view(self):
+        self.login("julia")
+        org = Organization.objects.get(name="Les Amis de la Terre")
+        user = PytitionUser.objects.get(user__username="julia")
+        user_petition = Petition.objects.create(title="Petition 1", user=user)
+        url = reverse("transfer_petition", args=[user_petition.id])
+
+        response = self.client.post(url, data={"new_owner_type": "org", "new_owner_name": org.slugname}, follow=True)
+        self.assertEqual(response.status_code, 200)
+        user_petition = Petition.objects.get(id=user_petition.id)
+        self.assertEqual(user_petition.org, org)
+
+        response = self.client.post(url, data={"new_owner_type": "user", "new_owner_name": user.user.username}, follow=True)
+        self.assertEqual(response.status_code, 200)
+        user_petition = Petition.objects.get(id=user_petition.id)
+        self.assertEqual(user_petition.user, user)
+
+        with override_settings(DISABLE_USER_PETITION=True):
+            user_petition = Petition.objects.create(title="Petition 1", org=org)
+            response = self.client.post(url, data={"new_owner_type": "user", "new_owner_name": user.user.username}, follow=True)
+            self.assertContains(response, "Users are not allowed to transfer petitions to organizations on this instance.")
+            user_petition = Petition.objects.get(id=user_petition.id)
+            self.assertIsNone(user_petition.user)
+        

pytition/petition/views.py

@@ -902,6 +902,12 @@ def org_set_user_perms(request, orgslugname, user_name):
 # PATH : subroutes of /wizard
 @method_decorator(login_required, name='dispatch')
 class PetitionCreationWizard(SessionWizardView):
+    def dispatch(self, request, *args, **kwargs):
+        if settings.DISABLE_USER_PETITION and "orgslugname" not in self.kwargs:
+            messages.error(request, _("Users are not allowed to create their own petitions."))
+            return redirect("user_dashboard")
+        return super().dispatch(request, *args, **kwargs)
+
     def get_template_names(self):
         return [WizardTemplates[self.steps.current]]
 
@@ -1614,6 +1620,9 @@ def transfer_petition(request, petition_id):
             except:
                 notFound = True
         if owner_type == "user":
+            if settings.DISABLE_USER_PETITION:
+                messages.error(request, _("Users are not allowed to transfer petitions to organizations on this instance."))
+                return redirect("user_dashboard")
             try:
                 user = PytitionUser.objects.get(user__username=new_owner_name)
             except:

pytition/pytition/settings/base.py

@@ -104,12 +104,12 @@
 MAIL_EXTERNAL_CRON_SET = False
 
 # number of seconds to wait before sending emails. This will be usefull only if USE_MAIL_QUEUE=True and uwsgi is used
-UWSGI_WAIT_FOR_MAIL_SEND_IN_S=10
+UWSGI_WAIT_FOR_MAIL_SEND_IN_S = 10
 # number of seconds to wait before retrying emails. This will be usefull only if USE_MAIL_QUEUE=True and uwsgi is used
-UWSGI_WAIT_FOR_RETRY_IN_S=1 * 60
+UWSGI_WAIT_FOR_RETRY_IN_S = 1 * 60
 # number of seconds to wait before purging emails. This will be usefull only if USE_MAIL_QUEUE=True and uwsgi is used
-UWSGI_WAIT_FOR_PURGE_IN_S=1 * 24 * 60 * 60
-UWSGI_NB_DAYS_TO_KEEP=3
+UWSGI_WAIT_FOR_PURGE_IN_S = 1 * 24 * 60 * 60
+UWSGI_NB_DAYS_TO_KEEP = 3
 
 # Password validation
 # https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators
@@ -256,6 +256,10 @@
 FILE_UPLOAD_PERMISSIONS = 0o640
 FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o750
 
+
+#:| If set to True, users won't be able to create petitions in their name, but only for an organization
+DISABLE_USER_PETITION = False
+
 #:| If set to True, regular users won't be able to create new organizations.
 #:| Only superusers will be allowed to
 RESTRICT_ORG_CREATION = False