[fix] Fixed authorization bug in get_default_templates view openwisp#420

A non-superuser can only request default templates for organizations
it manages

Closes openwisp#420

openwisp_controller/config/admin.py

@@ -471,7 +471,7 @@ def get_urls(self):
         return [
             url(
                 r'^config/get-default-templates/(?P<organization_id>[^/]+)/$',
-                get_default_templates,
+                self.admin_site.admin_view(get_default_templates),
                 name='get_default_templates',
             ),
             url(

openwisp_controller/config/tests/test_views.py

@@ -103,12 +103,46 @@ def test_get_default_templates_with_backend_filtering(self):
         self.assertIn(str(t1.pk), templates)
         self.assertNotIn(str(t2.pk), templates)
 
-    def test_get_default_templates_403(self):
+    def test_get_default_templates_authorization(self):
         org1 = self._create_org(name='org1')
-        response = self.client.get(
-            reverse('admin:get_default_templates', args=[org1.pk])
-        )
-        self.assertEqual(response.status_code, 403)
+        with self.subTest('Unauthenticated user'):
+            # Unauthenticated users will be redirected to login page
+            response = self.client.get(
+                reverse('admin:get_default_templates', args=[org1.pk])
+            )
+            self.assertEqual(response.status_code, 302)
+
+        with self.subTest('Authenticated non-staff user'):
+            # Non-staff users will be redirected to login page of admin
+            # and will be asked to login with a staff account
+            user = self._create_user()
+            self.client.force_login(user)
+            response = self.client.get(
+                reverse('admin:get_default_templates', args=[org1.pk])
+            )
+            self.assertEqual(response.status_code, 302)
+            response = self.client.get(
+                reverse('admin:get_default_templates', args=[org1.pk]), follow=True
+            )
+            self.assertContains(response, 'not authorized')
+
+        with self.subTest('User requests data of other organization'):
+            org_owner = self._create_org_owner()
+            user = org_owner.organization_user.user
+            user.is_staff = True
+            user.save()
+            self.client.force_login(user)
+            response = self.client.get(
+                reverse('admin:get_default_templates', args=[org1.pk])
+            )
+            self.assertEqual(response.status_code, 403)
+
+        with self.subTest('Superuser requests data for any organization'):
+            self._login()
+            response = self.client.get(
+                reverse('admin:get_default_templates', args=[org1.pk])
+            )
+            self.assertEqual(response.status_code, 200)
 
     def test_get_default_templates_404(self):
         self._login()

openwisp_controller/config/views.py

@@ -22,8 +22,7 @@ def get_default_templates(request, organization_id):
     """
     backend = request.GET.get("backend", None)
     user = request.user
-    authenticated = user.is_authenticated
-    if not authenticated and not user.is_staff:
+    if not user.is_superuser and not user.is_manager(organization_id):
         return HttpResponse(status=403)
     org = get_object_or_404(Organization, pk=organization_id, is_active=True)
     templates = get_default_templates_queryset(org.pk, backend, model=Template).only(