Merge pull request #1208 from NHSDigital/12478-redirect-to-admin

Redirect superusers to /admin on login

Author: malcolmbaig

manage_breast_screening/auth/demo_views.py

@@ -18,9 +18,9 @@
 @csrf_exempt
 @login_not_required
 def persona_login(request):
-    next_path = extract_relative_redirect_url(
-        request, parameter_name="next", default="/"
-    )
+    next_path = extract_relative_redirect_url(request, parameter_name="next")
+    if next_path == "/":
+        next_path = None
 
     if request.method == "POST":
         try:
@@ -34,8 +34,8 @@ def persona_login(request):
         now = timezone.now()
         request.session["login_time"] = now.isoformat()
 
-        if request.user.is_superuser:
-            redirect_url = next_path
+        if request.user.is_superuser and not next_path:
+            redirect_url = reverse("admin:index")
         else:
             redirect_url = reverse("select_provider")
             if next_path:

manage_breast_screening/auth/tests/test_views.py

@@ -18,6 +18,7 @@ def personas():
             nhs_uid=persona.username,
             first_name=persona.first_name,
             last_name=persona.last_name,
+            is_superuser=persona.is_superuser,
         )
         UserAssignmentFactory(
             user=user,
@@ -51,6 +52,36 @@ def test_post_persona_login(client):
     assert response.headers["location"] == "/current-provider/select/?next=%2Fsome-url"
 
 
+@pytest.mark.django_db
+def test_post_persona_login_superuser_redirects_to_admin(client):
+    response = client.post(
+        reverse("auth:persona_login"),
+        {"username": "priya_bains"},
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == "/admin/"
+
+
+@pytest.mark.django_db
+def test_post_persona_login_superuser_with_root_next_redirects_to_admin(client):
+    response = client.post(
+        reverse("auth:persona_login"),
+        {"username": "priya_bains", "next": "/"},
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == "/admin/"
+
+
+@pytest.mark.django_db
+def test_post_persona_login_superuser_with_next_redirects_to_select_provider(client):
+    response = client.post(
+        reverse("auth:persona_login"),
+        {"username": "priya_bains", "next": "/some-url"},
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == "/current-provider/select/?next=%2Fsome-url"
+
+
 @pytest.mark.django_db
 @override_settings(CIS2_ACR_VALUES="some-test-acr-value")
 def test_cis2_login_uses_configured_acr_values(client, monkeypatch):
@@ -187,6 +218,7 @@ def test_accepts_valid_assurance_levels(
 
             mock_user = Mock()
             mock_user.nhs_uid = "user-123"
+            mock_user.is_superuser = False
             mock_authenticate = Mock(return_value=mock_user)
             mock_login = Mock()
 
@@ -208,3 +240,24 @@ def test_accepts_valid_assurance_levels(
                 ANY, cis2_sub="user-123", cis2_userinfo={"sub": "user-123"}
             )
             mock_login.assert_called_once_with(ANY, mock_user)
+
+    def test_superuser_redirects_to_admin(
+        self, client, monkeypatch, mock_cis2_client_factory
+    ):
+        """Superusers should always be sent to the admin site after login."""
+        mock_cis2_client_factory()
+
+        mock_user = Mock()
+        mock_user.nhs_uid = "user-123"
+        mock_user.is_superuser = True
+
+        monkeypatch.setattr(
+            "manage_breast_screening.auth.views.authenticate",
+            Mock(return_value=mock_user),
+        )
+        monkeypatch.setattr("manage_breast_screening.auth.views.auth_login", Mock())
+
+        response = client.get(reverse("auth:cis2_callback"))
+
+        assert response.status_code == 302
+        assert response.headers["location"] == "/admin/"

manage_breast_screening/auth/views.py

@@ -115,6 +115,9 @@ def cis2_callback(request):
     request.session["login_time"] = now.isoformat()
     request.session["last_activity"] = now.isoformat()
 
+    if user.is_superuser:
+        return redirect(reverse("admin:index"))
+
     return redirect(reverse("select_provider"))