apps/votes/dashboard: show code generation only to admins

meinberlin/apps/votes/dashboard.py

@@ -38,6 +38,7 @@ class GenerateVotesComponent(DashboardComponent):
     identifier = 'voting_token_generation'
     weight = 49
     label = _('Generate voting codes')
+    for_superuser_only = True
 
     def is_effective(self, module):
         return module.blueprint_type == 'PB3'

meinberlin/apps/votes/views.py

@@ -111,7 +111,7 @@ class VotingGenerationDashboardView(
           'You are allowed to generate {} more.'),
         _('Only {} tokens are allowed per module. '
           'You are allowed to generate {} more.'))
-    permission_required = 'a4projects.change_project'
+    permission_required = 'is_superuser'
     template_name = 'meinberlin_votes/voting_code_dashboard.html'
 
     def _get_number_of_tokens(self):

meinberlin/templates/a4dashboard/includes/nav_modules_item.html

@@ -23,6 +23,7 @@
         <div class="dashboard-nav__menu-content">
             <ul>
             {% for item in module_menu.menu %}
+                {% if not item.for_superuser_only or request.user.is_superuser %}
                 <li class="dashboard-nav__page">
                     <a href="{{ item.url }}"
                        class="dashboard-nav__item dashboard-nav__item--interactive {{ item.is_active|yesno:"is-active," }}">
@@ -32,6 +33,7 @@
                         {% endif %}
                     </a>
                 </li>
+                {% endif %}
             {% endfor %}
             </ul>
         </div>

tests/votes/dashboard_components/test_token_generation.py

@@ -16,7 +16,7 @@
 @patch('meinberlin.apps.votes.tasks.BATCH_SIZE', 10)
 @pytest.mark.django_db
 def test_token_generate_view(client, phase_factory, module_factory,
-                             voting_token_factory):
+                             voting_token_factory, admin):
     phase, module, project, item = setup_phase(
         phase_factory, None, VotingPhase)
     other_module = module_factory()
@@ -25,10 +25,15 @@ def test_token_generate_view(client, phase_factory, module_factory,
     voting_token_factory(module=module, is_active=False)
     voting_token_factory(module=other_module)
 
+    # initiator cannot access token generation view
     initiator = module.project.organisation.initiators.first()
     url = component.get_base_url(module)
     client.login(username=initiator.email, password='password')
     response = client.get(url)
+    assert response.status_code == 403
+    # admin can access view and generate tokens
+    client.login(username=admin.email, password='password')
+    response = client.get(url)
     assert response.status_code == 200
     assert 'number_of_module_tokens' in response.context
     number_of_module_tokens = response.context['number_of_module_tokens']
@@ -55,16 +60,14 @@ def test_token_generate_view(client, phase_factory, module_factory,
 @patch('meinberlin.apps.votes.views.TOKENS_PER_MODULE', 5)
 @pytest.mark.django_db
 def test_token_generate_view_max_validation(
-        client, phase_factory, voting_token_factory, rf):
+        client, phase_factory, voting_token_factory, rf, admin):
     phase, module, project, item = setup_phase(
         phase_factory, None, VotingPhase)
-    initiator = module.project.organisation.initiators.first()
     voting_token_factory(module=module)
     voting_token_factory(module=module)
 
-    initiator = module.project.organisation.initiators.first()
     url = component.get_base_url(module)
-    client.login(username=initiator.email, password='password')
+    client.login(username=admin.email, password='password')
     data = {
         'number_of_tokens': 5
     }