feat(destinations): add superuser all view

2025-04-28 12:49:49 -04:00 · 2021-04-22 17:31:47 -04:00 · 2021-04-22 17:31:47 -04:00 · aa8c7f95b2
commit aa8c7f95b2
parent e818d8fbc4
2 changed files with 37 additions and 3 deletions
--- a/tjdests/apps/destinations/tests.py
+++ b/tjdests/apps/destinations/tests.py
@ -72,6 +72,32 @@ class DestinationsTest(TJDestsTestCase):
            user2, response.context["object_list"]
        )  # haven't published data

+        # Check superuser "all" get parameter
+        # We are not a superuser, so this should 403.
+        response = self.client.get(reverse("destinations:students"), data={"all": True})
+        self.assertEqual(403, response.status_code)
+
+        # Make us a superuser.
+        user2.is_superuser = True
+        user2.is_staff = True
+        user2.save()
+
+        response = self.client.get(reverse("destinations:students"))
+        self.assertEqual(200, response.status_code)
+        self.assertIn(user, response.context["object_list"])
+        self.assertNotIn(user2, response.context["object_list"])
+
+        # with the "all" parameter, this should return with user2 and user
+        response = self.client.get(reverse("destinations:students"), data={"all": True})
+        self.assertEqual(200, response.status_code)
+        self.assertIn(user, response.context["object_list"])
+        self.assertIn(user2, response.context["object_list"])
+        self.assertIn(user, response.context["object_list"])
+
+        user2.is_superuser = False
+        user2.is_staff = False
+        user2.save()
+
        user2.publish_data = True
        user2.save()

--- a/tjdests/apps/destinations/views.py
+++ b/tjdests/apps/destinations/views.py
@ -1,4 +1,5 @@
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+from django.core.exceptions import PermissionDenied
 from django.db.models import Count, Q, QuerySet
 from django.shortcuts import get_object_or_404
 from django.views.generic import ListView
@ -14,9 +15,16 @@ class StudentDestinationListView(
    paginate_by = 20

    def get_queryset(self):
-        queryset = User.objects.filter(publish_data=True, is_senior=True).order_by(
-            "last_name", "first_name"
-        )
+        # Superusers can use the "all" GET parameter to see all data
+        if self.request.GET.get("all", None) is not None:
+            if self.request.user.is_superuser and self.request.user.is_staff:
+                queryset = User.objects.all()
+            else:
+                raise PermissionDenied()
+        else:
+            queryset = User.objects.filter(publish_data=True)
+
+        queryset = queryset.filter(is_senior=True).order_by("last_name", "first_name")

        college_id = self.request.GET.get("college", None)
        if college_id is not None: