diff options
| -rw-r--r-- | ishtar_common/backend.py | 5 | ||||
| -rw-r--r-- | ishtar_common/tests.py | 30 |
2 files changed, 34 insertions, 1 deletions
diff --git a/ishtar_common/backend.py b/ishtar_common/backend.py index 39df9017a..cef1f0fa2 100644 --- a/ishtar_common/backend.py +++ b/ishtar_common/backend.py @@ -36,7 +36,10 @@ class ObjectPermBackend(ModelBackend): if not user_obj.is_authenticated(): return False if not model: - # let it manage by the default backend + if user_obj.is_staff: + # let it manage by the default backend + return super(ObjectPermBackend, self).has_perm( + user_obj=user_obj, perm=perm, obj=obj) return False try: ishtar_user = models.IshtarUser.objects.get(user_ptr=user_obj) diff --git a/ishtar_common/tests.py b/ishtar_common/tests.py index 2bd4afef1..4596f9b5e 100644 --- a/ishtar_common/tests.py +++ b/ishtar_common/tests.py @@ -1172,6 +1172,36 @@ class AccessControlTest(TestCase): ).count(), 1 ) + def test_django_admin(self): + username, password = "myusername", "mypassword" + __, __, user = create_user(username=username, password=password) + user.is_superuser = False + user.is_staff = False + user.save() + client = Client() + + url = "/admin/" + client.login(username=username, password=password) + response = client.get(url) + self.assertRedirects(response, "/admin/login/?next={}".format(url)) + + User.objects.filter(username='myusername').update(is_staff=True) + client.logout() + client.login(username=username, password=password) + response = client.get(url) + self.assertEqual(response.status_code, 200) + + url += "ishtar_common/persontype/" + response = client.get(url) + self.assertEqual(response.status_code, 403) + + user.user_permissions.add(Permission.objects.get( + codename='change_persontype')) + client.logout() + client.login(username=username, password=password) + response = client.get(url) + self.assertEqual(response.status_code, 200) + class UserProfileTest(TestCase): fixtures = OPERATION_FIXTURES |