condition replaced by exception handling in permission checks

simonkern · Jan 5, 2023 · 922b498 · 922b498
1 parent 07cc1b0
commit 922b498
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 9 deletions.
diff --git a/hijack/permissions.py b/hijack/permissions.py
@@ -1,8 +1,9 @@
 def superusers_only(*, hijacker, hijacked):
     """Superusers may hijack any other user."""
-    if not hijacked:
+    try:
+        return hijacked.is_active and hijacker.is_superuser
+    except AttributeError:
         return False
-    return hijacked.is_active and hijacker.is_superuser
 
 
 def superusers_and_staff(*, hijacker, hijacked):
@@ -12,13 +13,14 @@ def superusers_and_staff(*, hijacker, hijacked):
     A superuser may hijack any other user.
     A staff member may hijack any user, except another staff member or superuser.
     """
-    if not hijacked:
-        return False
+    try:
+        if not hijacked.is_active:
+            return False
 
-    if not hijacked.is_active:
-        return False
+        if hijacker.is_superuser:
+            return True
 
-    if hijacker.is_superuser:
-        return True
+        return hijacker.is_staff and not (hijacked.is_staff or hijacked.is_superuser)
 
-    return hijacker.is_staff and not (hijacked.is_staff or hijacked.is_superuser)
+    except AttributeError:
+        return False
diff --git a/hijack/tests/test_permissions.py b/hijack/tests/test_permissions.py
@@ -3,15 +3,23 @@
 
 from hijack import permissions
 
+from .test_app.models import Post
+
 superuser = get_user_model()(is_superuser=True)
 staff_member = get_user_model()(is_staff=True)
 regular_user = get_user_model()()
 inactive_user = get_user_model()(is_active=False)
+post = Post()  # lacks all attributes used in permission checks
 
 
 @pytest.mark.parametrize(
     "hijacker, hijacked, has_perm",
     [
+        (post, None, False),
+        (post, superuser, False),
+        (post, staff_member, False),
+        (post, regular_user, False),
+        (post, inactive_user, False),
         (superuser, None, False),
         (superuser, superuser, True),
         (superuser, staff_member, True),
@@ -36,6 +44,11 @@ def test_superusers_only(hijacker, hijacked, has_perm):
 @pytest.mark.parametrize(
     "hijacker, hijacked, has_perm",
     [
+        (post, None, False),
+        (post, superuser, False),
+        (post, staff_member, False),
+        (post, regular_user, False),
+        (post, inactive_user, False),
         (superuser, None, False),
         (superuser, superuser, True),
         (superuser, staff_member, True),