Deny access to dashboard edit page to superusers with dummy person

CHANGELOG.rst

@@ -25,6 +25,7 @@ Fixed
 ~~~~~
 
 * Changing the favicon did not result in all icons being replaced in some cases
+* Superusers with a dummy person were able to access the dashboard edit page.
 * GroupManager.get_queryset() returned an incomplete QuerySet
 * OAuth was broken by a non-semver-adhering django-oauth-toolkit update
 * Too long texts in chips didn't result in a larger chip.

aleksis/core/templates/core/index.html

@@ -10,7 +10,7 @@
 
 {% block content %}
   {% has_perm "core.edit_dashboard_rule" user as can_edit_dashboard %}
-  {% if can_edit_dashboard %}
+  {% if can_edit_dashboard and show_edit_dashboard_button %}
     <div class="row no-margin">
       <a class="btn-flat waves-effect waves-light right" href="{% url "edit_dashboard" %}">
         <i class="material-icons left">edit</i>

aleksis/core/views.py

@@ -232,9 +232,11 @@ def index(request: HttpRequest) -> HttpResponse:
         context["default_dashboard"] = True
 
     media = DashboardWidget.get_media(widgets)
+    show_edit_dashboard_button = not getattr(person, "is_dummy", False)
 
     context["widgets"] = widgets
     context["media"] = media
+    context["show_edit_dashboard_button"] = show_edit_dashboard_button
 
     return render(request, "core/index.html", context)
 
@@ -993,7 +995,11 @@ class EditDashboardView(PermissionRequiredMixin, View):
         context = {}
         self.default_dashboard = kwargs.get("default", False)
 
-        if self.default_dashboard and not request.user.has_perm("core.edit_default_dashboard_rule"):
+        if (
+            self.default_dashboard
+            and not request.user.has_perm("core.edit_default_dashboard_rule")
+            or getattr(person, "is_dummy", False)
+        ):
             raise PermissionDenied()
 
         context["default_dashboard"] = self.default_dashboard