Improved acess checks for Bericht views

src/open_inwoner/berichten/urls.py

@@ -1,14 +1,14 @@
 from django.urls import path
 
-from .views import BerichtDetailView, BerichtListView, mark_bericht_as_unread
+from .views import BerichtDetailView, BerichtListView, MarkBerichtUnreadView
 
 app_name = "berichten"
 
 urlpatterns = [
     path("<uuid:object_uuid>/", BerichtDetailView.as_view(), name="detail"),
     path(
         "<uuid:object_uuid>/mark-unread",
-        mark_bericht_as_unread,
+        MarkBerichtUnreadView.as_view(),
         name="mark-bericht-unread",
     ),
     path("", BerichtListView.as_view(), name="list"),

src/open_inwoner/berichten/views/__init__.py

@@ -1,4 +1,4 @@
-from .bericht_detail import BerichtDetailView, mark_bericht_as_unread
+from .bericht_detail import BerichtDetailView, MarkBerichtUnreadView
 from .bericht_list import BerichtListView
 
-__all__ = ["BerichtDetailView", "BerichtListView", "mark_bericht_as_unread"]
+__all__ = ["BerichtDetailView", "BerichtListView", "MarkBerichtUnreadView"]

src/open_inwoner/berichten/views/bericht_detail.py

@@ -1,7 +1,5 @@
 import logging
 
-from django.contrib.auth.decorators import login_required
-from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import HttpResponseRedirect
 from django.urls import reverse
 from django.utils.functional import cached_property
@@ -11,13 +9,17 @@
 from view_breadcrumbs import BaseBreadcrumbMixin
 
 from open_inwoner.berichten.services import BerichtenService
+from open_inwoner.berichten.views.mixins import BerichtAccessMixin
 from open_inwoner.utils.views import CommonPageMixin
 
 logger = logging.getLogger(__name__)
 
 
 class BerichtDetailView(
-    CommonPageMixin, BaseBreadcrumbMixin, TemplateView, LoginRequiredMixin
+    CommonPageMixin,
+    BaseBreadcrumbMixin,
+    TemplateView,
+    BerichtAccessMixin,
 ):
 
     template_name = "pages/berichten/detail.html"
@@ -35,16 +37,15 @@ def page_title(self):
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         service = BerichtenService()
-        bericht = service.fetch_bericht(self.kwargs["object_uuid"])
-        context["bericht"] = bericht
-        if not bericht.geopend:
+        context["bericht"] = self.bericht
+        if not self.bericht.geopend:
             service.update_object(self.kwargs["object_uuid"], {"geopend": True})
 
         return context
 
 
-@login_required
-def mark_bericht_as_unread(request, object_uuid):
-    service = BerichtenService()
-    service.update_object(object_uuid, {"geopend": False})
-    return HttpResponseRedirect(reverse("berichten:list"))
+class MarkBerichtUnreadView(BerichtAccessMixin):
+    def get(self, *args, **kwargs):
+        service = BerichtenService()
+        service.update_object(self.kwargs["object_uuid"], {"geopend": False})
+        return HttpResponseRedirect(reverse("berichten:list"))

src/open_inwoner/berichten/views/bericht_list.py

@@ -8,12 +8,18 @@
 from view_breadcrumbs import BaseBreadcrumbMixin
 
 from open_inwoner.berichten.services import BerichtenService
+from open_inwoner.berichten.views.mixins import RequireBsnMixin
 from open_inwoner.utils.views import CommonPageMixin
 
 logger = logging.getLogger(__name__)
 
 
-class BerichtListView(CommonPageMixin, BaseBreadcrumbMixin, TemplateView):
+class BerichtListView(
+    CommonPageMixin,
+    BaseBreadcrumbMixin,
+    RequireBsnMixin,
+    TemplateView,
+):
 
     template_name = "pages/berichten/list.html"
 
@@ -29,7 +35,7 @@ def page_title(self):
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         service = BerichtenService()
-        if self.request.user.is_authenticated and (bsn := self.request.user.bsn):
-            context["berichten"] = service.fetch_berichten_for_bsn(bsn)
+        bsn = self.request.user.bsn if hasattr(self.request.user, "bsn") else None
+        context["berichten"] = service.fetch_berichten_for_bsn(bsn) if bsn else []
 
         return context

src/open_inwoner/berichten/views/mixins.py

@@ -0,0 +1,54 @@
+from django.contrib.auth.mixins import AccessMixin
+from django.http import HttpRequest
+from django.template.response import TemplateResponse
+from django.views import View
+
+from open_inwoner.berichten.api_models import Bericht
+from open_inwoner.berichten.services import BerichtenService
+
+
+class RequireBsnMixin(AccessMixin, View):
+
+    request: HttpRequest
+    bericht: Bericht
+
+    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+
+        if not request.user.bsn:
+            return self.handle_no_permission()
+
+        return super().dispatch(request, *args, **kwargs)
+
+    def handle_no_permission(self):
+        if self.request.user.is_authenticated:
+            return TemplateResponse(self.request, "pages/cases/403.html")
+
+        return super().handle_no_permission()
+
+
+class BerichtAccessMixin(AccessMixin, View):
+
+    request: HttpRequest
+    bericht: Bericht
+
+    def dispatch(self, request, *args, **kwargs):
+        if not (bsn := getattr(request.user, "bsn", None)):
+            return super().handle_no_permission()
+
+        service = BerichtenService()
+        self.bericht = service.fetch_bericht(self.kwargs["object_uuid"])
+        if (
+            self.bericht.identificatie.type != "bsn"
+            or self.bericht.identificatie.value != bsn
+        ):
+            return self.handle_no_permission()
+
+        return super().dispatch(request, *args, **kwargs)
+
+    def handle_no_permission(self):
+        if self.request.user.is_authenticated:
+            return TemplateResponse(self.request, "pages/cases/403.html")
+
+        return super().handle_no_permission()