Skip to content

fix(crm): require change permission for customer user invites#3847

Merged
nijel merged 3 commits into
mainfrom
codex/fix-customer-user-invitation-permission-issue
May 26, 2026
Merged

fix(crm): require change permission for customer user invites#3847
nijel merged 3 commits into
mainfrom
codex/fix-customer-user-invitation-permission-issue

Conversation

@nijel

@nijel nijel commented May 26, 2026

Copy link
Copy Markdown
Member

Motivation

  • The customer detail view exposed a mutating add_customer_user POST action while the view was protected only by the read permission payments.view_customer, allowing read-only staff to provision/link users to customers.
  • Customer.users membership grants access to sensitive self-service data, so adding users must require a stronger write-level permission.
  • The change aims to prevent privilege escalation by requiring an explicit write permission before performing the invite/link operation.

Description

  • Require payments.change_customer before executing the add_customer_user mutation by adding a check_add_customer_user_permission guard in weblate_web/crm/views.py and calling it at the start of add_customer_user.
  • Add a context flag can_add_customer_user in CustomerDetailView.get_context_data to expose whether the current user has the change permission.
  • Hide the Add-user form in weblate_web/crm/templates/payments/customer_detail.html unless can_add_customer_user is true.
  • Add two regression tests in weblate_web/crm/tests.py verifying that a read-only staff user (with only view_customer) does not see the form and receives HTTP 403 when POSTing the add action.

Testing

  • Ran pytest -q weblate_web/crm/tests.py -k 'readonly_staff or adds_hosted_user' and the selected tests passed: 3 passed, 93 deselected.
  • The hosted-user invite tests exercised the successful invite path and still pass under the new permission guard when executed with a user that has the required permissions.
  • No other test suites were run as part of this change; the modification is intentionally minimal to restrict authorization for the new mutation.

Codex Task

@argos-ci

argos-ci Bot commented May 26, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build Status Details Updated (UTC)
default (Inspect) ✅ No changes detected - May 26, 2026, 6:03 PM

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens authorization around the CRM “Add user to customer” action to prevent read-only staff (with only payments.view_customer) from performing a mutating invite/link operation that grants access to customer self-service data.

Changes:

  • Enforce payments.change_customer before executing the add_customer_user POST mutation in CustomerDetailView.
  • Add a can_add_customer_user context flag and hide the add-user form in the customer detail template when the user lacks the change permission.
  • Add regression tests for read-only staff UI hiding and POST rejection.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
weblate_web/crm/views.py Adds a permission guard for the add-customer-user mutation and exposes a context flag for template gating.
weblate_web/crm/tests.py Adds regression tests asserting read-only staff can’t see or perform the add-user action.
weblate_web/crm/templates/payments/customer_detail.html Hides the add-user form unless the view indicates the user has payments.change_customer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread weblate_web/crm/tests.py Outdated
Comment thread weblate_web/crm/tests.py
Comment thread weblate_web/crm/views.py
Comment thread weblate_web/crm/tests.py
@codecov

codecov Bot commented May 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.58%. Comparing base (2da36a2) to head (cf6a673).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3847      +/-   ##
==========================================
- Coverage   88.60%   88.58%   -0.02%     
==========================================
  Files          71       71              
  Lines       10834    10856      +22     
  Branches      952      953       +1     
==========================================
+ Hits         9599     9617      +18     
- Misses        909      913       +4     
  Partials      326      326              
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

nijel and others added 2 commits May 26, 2026 19:52
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

@nijel nijel merged commit b3d2c6f into main May 26, 2026
37 of 38 checks passed
@nijel nijel deleted the codex/fix-customer-user-invitation-permission-issue branch May 26, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants