Merge branch 'main' into liaisondetailscope

Author: jennifer-richards

ietf/liaisons/tests.py

@@ -942,17 +942,34 @@ def test_liaison_add_attachment(self):
         )
 
     def test_liaison_edit_attachment(self):
-
-        attachment = LiaisonStatementAttachmentFactory(document__name='liaiatt-1')
-        url = urlreverse('ietf.liaisons.views.liaison_edit_attachment', kwargs=dict(object_id=attachment.statement_id,doc_id=attachment.document_id))
+        attachment = LiaisonStatementAttachmentFactory(document__name="liaiatt-1")
+        url = urlreverse(
+            "ietf.liaisons.views.liaison_edit_attachment",
+            kwargs=dict(
+                object_id=attachment.statement_id, doc_id=attachment.document_id
+            ),
+        )
         login_testing_unauthorized(self, "secretary", url)
         r = self.client.get(url)
         self.assertEqual(r.status_code, 200)
-        post_data = dict(title='New Title')
-        r = self.client.post(url,post_data)
+        post_data = dict(title="New Title")
+        r = self.client.post(url, post_data)
         attachment = LiaisonStatementAttachment.objects.get(pk=attachment.pk)
         self.assertEqual(r.status_code, 302)
-        self.assertEqual(attachment.document.title,'New Title')
+        self.assertEqual(attachment.document.title, "New Title")
+
+        # ensure attempts to edit attachments not attached to this liaison statement fail
+        other_attachment = LiaisonStatementAttachmentFactory(document__name="liaiatt-2")
+        url = urlreverse(
+            "ietf.liaisons.views.liaison_edit_attachment",
+            kwargs=dict(
+                object_id=attachment.statement_id, doc_id=other_attachment.document_id
+            ),
+        )
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 404)
+        r = self.client.post(url, dict(title="New Title"))
+        self.assertEqual(r.status_code, 404)
 
     def test_liaison_delete_attachment(self):
         attachment = LiaisonStatementAttachmentFactory(document__name='liaiatt-1')

ietf/liaisons/urls.py

@@ -26,8 +26,8 @@
     url(r'^(?P<object_id>\d+)/$', views.liaison_detail),
     url(r'^(?P<object_id>\d+)/addcomment/$', views.add_comment),
     url(r'^(?P<object_id>\d+)/edit/$', views.liaison_edit),
-    url(r'^(?P<object_id>\d+)/edit-attachment/(?P<doc_id>[A-Za-z0-9._+-]+)$', views.liaison_edit_attachment),
-    url(r'^(?P<object_id>\d+)/delete-attachment/(?P<attach_id>[A-Za-z0-9._+-]+)$', views.liaison_delete_attachment),
+    url(r'^(?P<object_id>\d+)/edit-attachment/(?P<doc_id>[0-9]+)$', views.liaison_edit_attachment),
+    url(r'^(?P<object_id>\d+)/delete-attachment/(?P<attach_id>[0-9]+)$', views.liaison_delete_attachment),
     url(r'^(?P<object_id>\d+)/history/$', views.liaison_history),
     url(r'^(?P<object_id>\d+)/reply/$', views.liaison_reply),
     url(r'^(?P<object_id>\d+)/resend/$', views.liaison_resend),

ietf/liaisons/views.py

@@ -7,15 +7,14 @@
 
 from django.contrib import messages
 from django.urls import reverse as urlreverse
-from django.core.exceptions import ValidationError, PermissionDenied
+from django.core.exceptions import ValidationError, ObjectDoesNotExist, PermissionDenied
 from django.core.validators import validate_email
 from django.db.models import Q, Prefetch
-from django.http import HttpResponse
+from django.http import Http404, HttpResponse
 from django.shortcuts import render, get_object_or_404, redirect
 
 import debug                            # pyflakes:ignore
 
-from ietf.doc.models import Document
 from ietf.ietfauth.utils import role_required, has_role
 from ietf.group.models import Group, Role
 from ietf.liaisons.models import (LiaisonStatement,LiaisonStatementEvent,
@@ -450,7 +449,11 @@ def liaison_edit(request, object_id):
 def liaison_edit_attachment(request, object_id, doc_id):
     '''Edit the Liaison Statement attachment title'''
     liaison = get_object_or_404(LiaisonStatement, pk=object_id)
-    doc = get_object_or_404(Document, pk=doc_id)
+    try:
+       doc = liaison.attachments.get(pk=doc_id)
+    except ObjectDoesNotExist:
+        raise Http404
+
     if not can_edit_liaison(request.user, liaison):
         permission_denied(request, "You are not authorized for this action.")