From baabf8423486d8f7974dbf727ff7925adf9a3ebd Mon Sep 17 00:00:00 2001
From: Jon <jonathon.lockwood@networkedweb.com>
Date: Sun, 6 Jul 2025 20:49:23 +0930
Subject: [PATCH] fix(settings): AppSettings requires super user perms

ref: #855 #834
---
 app/access/mixins/permissions.py              |   5 +
 .../additional_appsettings_permissions_api.py | 126 ++++++++++++++++++
 2 files changed, 131 insertions(+)

diff --git a/app/access/mixins/permissions.py b/app/access/mixins/permissions.py
index 5236d980..31a93922 100644
--- a/app/access/mixins/permissions.py
+++ b/app/access/mixins/permissions.py
@@ -290,6 +290,11 @@ class OrganizationPermissionMixin(
                     view.model.__name__ == 'AuthToken'
                     and request._user.id == int(view.kwargs.get('model_id', 0))
                 )
+                or (    # org=None is the application wide settings.
+                    view.model.__name__ == 'AppSettings'
+                    and request.user.is_superuser
+                    and obj.organization is None
+                )
             ):
 
                 return True
diff --git a/app/settings/tests/functional/additional_appsettings_permissions_api.py b/app/settings/tests/functional/additional_appsettings_permissions_api.py
index 5a79e0a6..bd1aa399 100644
--- a/app/settings/tests/functional/additional_appsettings_permissions_api.py
+++ b/app/settings/tests/functional/additional_appsettings_permissions_api.py
@@ -1,5 +1,7 @@
 import pytest
 
+from django.test import Client
+
 
 
 class AdditionalTestCases:
@@ -33,6 +35,130 @@ class AdditionalTestCases:
 
 
 
+    def test_permission_change(self, model_instance, api_request_permissions):
+        """ Check correct permission for change
+
+        Make change with user who has change permission
+        """
+
+        client = Client()
+
+        client.force_login( api_request_permissions['user']['change'] )
+
+        change_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            },
+        )
+
+        response = client.patch(
+            path = change_item.get_url( many = False ),
+            data = self.change_data,
+            content_type = 'application/json'
+        )
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 403, response.content
+
+
+
+    def test_permission_change_super_user_only(self, model_instance, api_request_permissions):
+        """ Check correct permission for change
+
+        Make change with user who has change permission
+        """
+
+        client = Client()
+
+        api_request_permissions['user']['change'].is_superuser = True
+        api_request_permissions['user']['change'].save()
+
+        client.force_login( api_request_permissions['user']['change'] )
+
+        change_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            },
+        )
+
+        response = client.patch(
+            path = change_item.get_url( many = False ),
+            data = self.change_data,
+            content_type = 'application/json'
+        )
+
+        api_request_permissions['user']['change'].is_superuser = False
+        api_request_permissions['user']['change'].save()
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 200, response.content
+
+
+
+    def test_permission_view(self, model_instance, api_request_permissions):
+        """ Check correct permission for view
+
+        Attempt to view as user with view permission
+        """
+
+        client = Client()
+
+        client.force_login( api_request_permissions['user']['view'] )
+
+        view_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            }
+        )
+
+        response = client.get(
+            path = view_item.get_url( many = False )
+        )
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 403, response.content
+
+
+
+    def test_permission_view_super_user_only(self, model_instance, api_request_permissions):
+        """ Check correct permission for view
+
+        Attempt to view as user with view permission
+        """
+
+        client = Client()
+
+        api_request_permissions['user']['view'].is_superuser = True
+        api_request_permissions['user']['view'].save()
+
+        client.force_login( api_request_permissions['user']['view'] )
+
+        view_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            }
+        )
+
+        response = client.get(
+            path = view_item.get_url( many = False )
+        )
+
+        api_request_permissions['user']['view'].is_superuser = False
+        api_request_permissions['user']['view'].save()
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 200, response.content
+
+
+
     def test_returned_results_only_user_orgs(self):
         """Returned results check