[damned-lies] Limit docs building to team members

[Claude Paroz <claudep src gnome org>]

commit 478028e4f04f9a30d748759d6b4c43635f47f4d4
Author: Claude Paroz <claude 2xlibre net>
Date:   Wed Jun 30 09:02:06 2021 +0200

    Limit docs building to team members

 templates/vertimus/vertimus_detail.html |  6 +++++-
 vertimus/tests/tests.py                 |  4 ++++
 vertimus/views.py                       | 14 ++++++++++----
 3 files changed, 19 insertions(+), 5 deletions(-)
---
diff --git a/templates/vertimus/vertimus_detail.html b/templates/vertimus/vertimus_detail.html
index 7a29273c..bb8ca6a1 100644
--- a/templates/vertimus/vertimus_detail.html
+++ b/templates/vertimus/vertimus_detail.html
@@ -239,7 +239,11 @@ $(document).ready(function() {
           {% endif %}
           {% if action.can_build %}
             {% if action.build_url %}<a href="{{ action.build_url }}">{% trans "Help index" %}</a>
-            {% else %}<form method="post" action="{% url 'action-build-help' action.pk %}">{% csrf_token 
%}<button>{% trans "Build help" %}</button></form>
+            {% elif is_team_member %}
+                <form method="post" action="{% url 'action-build-help' action.pk %}">
+                    {% csrf_token %}
+                    <button>{% trans "Build help" %}</button>
+                </form>
             {% endif %}
           {% endif %}
           <div style="text-align: right">{% trans "diff with:" %}
diff --git a/vertimus/tests/tests.py b/vertimus/tests/tests.py
index 362df2cb..6b1dd599 100644
--- a/vertimus/tests/tests.py
+++ b/vertimus/tests/tests.py
@@ -815,6 +815,9 @@ class DocsBuildingTests(TeamsAndRolesMixin, TestModuleBase):
         self.assertIsNone(action.build_url)
         with patch('stats.models.Branch.checkout'):
             response = self.client.post(reverse('action-build-help', args=[action.pk]))
+            self.assertEqual(response.status_code, 403)
+            self.client.force_login(self.pt)
+            response = self.client.post(reverse('action-build-help', args=[action.pk]))
         self.assertRedirects(
             response, '/HTML/%d/index.html' % action.pk, fetch_redirect_response=False
         )
@@ -837,6 +840,7 @@ class DocsBuildingTests(TeamsAndRolesMixin, TestModuleBase):
             action.apply_on(state, {'send_to_ml': action.send_mail_to_ml, 'comment': "Done by translator."})
         self.assertTrue(action.can_build)
         self.assertIsNone(action.build_url)
+        self.client.force_login(self.pt)
         with patch('stats.models.Branch.checkout'):
             response = self.client.post(reverse('action-build-help', args=[action.pk]))
         self.assertRedirects(
diff --git a/vertimus/views.py b/vertimus/views.py
index 83c169bb..c749935f 100644
--- a/vertimus/views.py
+++ b/vertimus/views.py
@@ -9,7 +9,9 @@ from xml.dom.minidom import parse
 
 from django.conf import settings
 from django.contrib import messages
-from django.http import HttpResponseRedirect, Http404, StreamingHttpResponse
+from django.http import (
+    Http404, HttpResponseRedirect, HttpResponseForbidden, StreamingHttpResponse,
+)
 from django.shortcuts import render, get_object_or_404
 from django.urls import reverse
 from django.utils.html import escape
@@ -82,11 +84,10 @@ def vertimus(request, branch, domain, language, stats=None, level="0"):
     grandparent_level = level + 1 if sequence_grandparent else None
 
     action_form = None
-    if request.user.is_authenticated and level == 0:
+    person = request.user.person if request.user.is_authenticated else None
+    if person and level == 0:
         # Only authenticated user can act on the translation and it's not
         # possible to edit an archived workflow
-        person = request.user.person
-
         available_actions = state.get_available_actions(person)
         has_ml = bool(language.team.mailing_list) if language.team else False
         if request.method == 'POST':
@@ -139,6 +140,7 @@ def vertimus(request, branch, domain, language, stats=None, level="0"):
         'module': branch.module,
         'non_standard_repo_msg': _(settings.VCS_HOME_WARNING),
         'state': state,
+        'is_team_member': person and language.team and person.is_translator(language.team),
         'action_history': action_history,
         'action_form': action_form,
         'level': level,
@@ -421,6 +423,10 @@ class BuildTranslatedDocsView(PoFileActionBase):
             return HttpResponseRedirect(self.action.build_url)
 
         state = self.action.state_db
+        team = state.language.team
+        if not request.user.is_authenticated or not team or not request.user.person.is_translator(team):
+            return HttpResponseForbidden('Only team members can build docs.')
+
         with ModuleLock(state.branch.module):
             state.branch.checkout()
             error_message = self.build_docs(state, pofile, html_dir)