Raise PermissionDenied instead of redirecting with a message if user doesn't have the tag attach permission. GL issue #235.

2015-10-24 00:45:48 -04:00
parent dfda765d34
commit b0f5e8741b
2 changed files with 13 additions and 10 deletions
--- a/mayan/apps/tags/tests/test_views.py
+++ b/mayan/apps/tags/tests/test_views.py
@@ -182,7 +182,7 @@ class TagViewTestCase(GenericDocumentViewTestCase):
            }
        )

-        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.status_code, 403)
        self.assertEqual(self.document.tags.count(), 0)

    def test_document_attach_tag_view_with_permission(self):
--- a/mayan/apps/tags/views.py
+++ b/mayan/apps/tags/views.py
@@ -6,7 +6,7 @@ from django.contrib import messages
 from django.core.exceptions import PermissionDenied
 from django.core.urlresolvers import reverse, reverse_lazy
 from django.conf import settings
-from django.http import HttpResponseRedirect
+from django.http import Http404, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, render_to_response
 from django.template import RequestContext
 from django.utils.translation import ugettext_lazy as _, ungettext
@@ -45,14 +45,6 @@ def tag_attach(request, document_id=None, document_id_list=None):
    elif document_id_list:
        queryset = Document.objects.filter(pk__in=document_id_list)

-    if not queryset:
-        messages.error(request, _('Must provide at least one document.'))
-        return HttpResponseRedirect(
-            request.META.get(
-                'HTTP_REFERER', reverse(settings.LOGIN_REDIRECT_URL)
-            )
-        )
-
    try:
        Permission.check_permissions(request.user, (permission_tag_attach,))
    except PermissionDenied:
@@ -60,6 +52,17 @@ def tag_attach(request, document_id=None, document_id_list=None):
            permission_tag_attach, request.user, queryset
        )

+    if not queryset:
+        if document_id:
+            raise PermissionDenied
+        else:
+            messages.error(request, _('Must provide at least one document.'))
+            return HttpResponseRedirect(
+                request.META.get(
+                    'HTTP_REFERER', reverse(settings.LOGIN_REDIRECT_URL)
+                )
+            )
+
    post_action_redirect = None
    previous = request.POST.get(
        'previous', request.GET.get(