Revert "www.stats: Open "tb 440" to all SIAE"

This reverts commit b97cf20.

config/settings/base.py

@@ -436,6 +436,7 @@
 # Specific experimental stats are progressively being deployed to more and more users and/or companies.
 # Kept as a setting to not let User pks or Company asp_ids in clear in the code.
 STATS_SIAE_USER_PK_WHITELIST = json.loads(os.getenv("STATS_SIAE_USER_PK_WHITELIST", "[]"))
+STATS_SIAE_PK_WHITELIST = json.loads(os.getenv("STATS_SIAE_PK_WHITELIST", "[]"))
 STATS_ACI_DEPARTMENT_WHITELIST = ["31", "84"]
 
 # Slack notifications sent by Metabase cronjobs.

itou/templates/dashboard/includes/stats.html

@@ -32,14 +32,16 @@
                             </a>
                         </li>
                     {% endif %}
-                    {% if can_view_stats_siae %}
+                    {% if can_view_stats_siae_orga_etp %}
                         <li class="d-flex justify-content-between align-items-center mb-3">
                             <a href="{% url 'stats:stats_siae_orga_etp' %}" class="btn-link btn-ico">
                                 <i class="ri-bar-chart-line ri-lg font-weight-normal align-self-start"></i>
                                 <span>Suivre les effectifs annuels et mensuels en ETP de ma structure</span>
                             </a>
                             {% include "dashboard/includes/stats_new_badge.html" %}
                         </li>
+                    {% endif %}
+                    {% if can_view_stats_siae %}
                         <li class="d-flex justify-content-between align-items-center mb-3">
                             <a href="{% url 'stats:stats_siae_hiring' %}" class="btn-link btn-ico">
                                 <i class="ri-bar-chart-line ri-lg font-weight-normal align-self-start"></i>

itou/www/dashboard/views.py

@@ -193,6 +193,7 @@ def dashboard_stats(request, template_name="dashboard/dashboard_stats.html"):
         "can_view_stats_siae": stats_utils.can_view_stats_siae(request),
         "can_view_stats_siae_aci": stats_utils.can_view_stats_siae_aci(request),
         "can_view_stats_siae_etp": stats_utils.can_view_stats_siae_etp(request),
+        "can_view_stats_siae_orga_etp": stats_utils.can_view_stats_siae_orga_etp(request),
         "can_view_stats_cd": stats_utils.can_view_stats_cd(request),
         "can_view_stats_cd_aci": stats_utils.can_view_stats_cd_aci(request),
         "can_view_stats_ft": stats_utils.can_view_stats_ft(request),

itou/www/stats/utils.py

@@ -61,6 +61,13 @@ def can_view_stats_siae_etp(request):
     )
 
 
+def can_view_stats_siae_orga_etp(request):
+    """
+    Non official stats with very specific access rights.
+    """
+    return can_view_stats_siae(request) and request.current_organization.pk in settings.STATS_SIAE_PK_WHITELIST
+
+
 def can_view_stats_cd(request):
     """
     Users of a real CD can view the confidential CD stats for their department only.

itou/www/stats/views.py

@@ -256,6 +256,8 @@ def stats_siae_orga_etp(request):
     These stats are about ETP data from the ASP.
     """
     current_org = get_stats_siae_current_org(request)
+    if not utils.can_view_stats_siae_orga_etp(request):
+        raise PermissionDenied
     context = {
         "page_title": "Suivi des effectifs annuels et mensuels en ETP",
         "department": current_org.department,

tests/www/stats/test_views.py

@@ -128,6 +128,7 @@ def test_stats_siae_log_visit(client, settings, view_name):
     user = company.members.get()
 
     settings.STATS_SIAE_USER_PK_WHITELIST = [user.pk]
+    settings.STATS_SIAE_PK_WHITELIST = [company.pk]
     settings.STATS_ACI_DEPARTMENT_WHITELIST = [company.department]
 
     client.force_login(user)