restrict calendar view to events that the user is allowed to view (#469)

jeriox · jeriox · commit df7c5e78d479 · 2021-05-06T18:22:59.000+02:00
diff --git a/ephios/core/views/event.py b/ephios/core/views/event.py
@@ -335,7 +335,10 @@ def get_context_data(self, **kwargs):
         today = datetime.today()
         year = int(self.request.GET.get("year", today.year))
         month = int(self.request.GET.get("month", today.month))
-        shifts = Shift.objects.filter(start_time__month=month, start_time__year=year)
+        events = get_objects_for_user(self.request.user, "core.view_event", klass=Event)
+        shifts = Shift.objects.filter(
+            event__in=events, start_time__month=month, start_time__year=year
+        )
         calendar = ShiftCalendar(shifts)
         kwargs.setdefault("calendar", mark_safe(calendar.formatmonth(year, month)))
         nextyear, nextmonth = _nextmonth(year, month)
diff --git a/tests/core/test_event_calendar.py b/tests/core/test_event_calendar.py
@@ -0,0 +1,31 @@
+from django.urls import reverse
+
+
+def test_calendar_display(client, volunteer, event):
+    # we are using the django test client here because we couldn't get the session stuff to
+    # work with pytest. Don't copy this!
+    session = client.session
+    session["event_list_view_type"] = "calendar"
+    session.save()
+    client.force_login(volunteer)
+    response = client.get(reverse("core:event_list"))
+    assert response.status_code == 200
+    assert "core/event_calendar.html" in response.template_name
+
+
+def test_calendar_display_restricitions(client, volunteer, event):
+    # we are using the django test client here because we couldn't get the session stuff to
+    # work with pytest. Don't copy this!
+    volunteer.groups.set([])
+    volunteer.save()
+    session = client.session
+    session["event_list_view_type"] = "calendar"
+    session.save()
+    client.force_login(volunteer)
+    shift = event.shifts.first()
+    response = client.get(
+        f"{reverse('core:event_list')}?year={shift.start_time.year}&month={shift.start_time.month}"
+    )
+    assert response.status_code == 200
+    assert "core/event_calendar.html" in response.template_name
+    assert event.title not in response.rendered_content
