Prevent to showing both adding user and importing user/group pages by…

… ordinary user.

CHANGELOG.md

@@ -7,6 +7,8 @@
 ### Changed
 
 ### Fixed
+* Prevent to showing both adding user and importing user/group pages by ordinary user.
+  Contributed by @userlocalhost, @hinashi
 
 ## v3.88.0
 

group/tests/test_view.py

@@ -434,7 +434,16 @@ def test_post_edit_by_guest(self):
 
         self.assertEqual(resp.status_code, 400)
 
-    def test_import_user_and_group(self):
+    def test_import_user_and_group_by_ordinary_user(self):
+        self.guest_login()
+
+        resp = self.client.get(reverse("group:import_user_and_group"))
+        self.assertEqual(resp.status_code, 400)
+        self.assertEqual(
+            resp.content.decode("utf-8"), "This page needs administrative permission to access"
+        )
+
+    def test_import_user_and_group_by_admin_user(self):
         self.admin_login()
 
         fp = self.open_fixture_file("import_user_and_group.yaml")

group/views.py

@@ -251,6 +251,7 @@ def export(request):
 
 
 @http_get
+@check_superuser
 def import_user_and_group(request):
     return render(request, "import_user_and_group.html", {})
 

user/tests/test_view.py

@@ -72,7 +72,16 @@ def test_create_get_without_login(self):
         resp = self.client.get(reverse("user:create"))
         self.assertEqual(resp.status_code, 303)
 
-    def test_create_get_with_login(self):
+    def test_create_get_with_login_by_normal_user(self):
+        self._guest_login()
+
+        resp = self.client.get(reverse("user:create"))
+        self.assertEqual(resp.status_code, 400)
+        self.assertEqual(
+            resp.content.decode("utf-8"), "This page needs administrative permission to access"
+        )
+
+    def test_create_get_with_login_by_admin_user(self):
         self._admin_login()
 
         resp = self.client.get(reverse("user:create"))

user/views.py

@@ -29,6 +29,7 @@ def index(request):
 
 
 @http_get
+@check_superuser
 def create(request):
     return render(request, "create_user.html")