Skip to content

Commit

Permalink
Forbid deletion of current user for admins
Browse files Browse the repository at this point in the history
  • Loading branch information
ekhomyakova committed Sep 3, 2018
1 parent 9ebff75 commit 3699e87
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 2 deletions.
26 changes: 25 additions & 1 deletion kqueen/blueprints/api/test_user.py
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,34 @@
from .test_crud import BaseTestCRUD
from flask import url_for
from kqueen.conftest import AuthHeader
from kqueen.conftest import UserFixture
from kqueen.config import current_config

import bcrypt
import json
import pytest
import logger


config = current_config()


class TestUserCRUD(BaseTestCRUD):
@pytest.fixture(autouse=True)
def setup(self, client):
super().setup(client)

namespace = (
getattr(self.obj, 'namespace', None) or
getattr(getattr(self.obj, 'owner', None), 'namespace', None)
)
self.test_user_delete = UserFixture(namespace)
logger.error(self.test_user_delete, self.test_user)
logger.error(self.test_user_delete.id, self.test_user.id)
self.test_user_delete.id = '123'
self.test_auth_header_delete = AuthHeader(self.test_user_delete)
self.auth_header_delete = self.test_auth_header_delete.get(client)

def get_object(self):
return UserFixture()

Expand Down Expand Up @@ -104,4 +121,11 @@ def test_crud_update(self):

@pytest.mark.last
def test_crud_delete(self):
super(TestUserCRUD, self).test_crud_delete()
response = self.client.delete(
self.urls['delete'],
headers=self.auth_header_delete
)

assert response.status_code == 200
with pytest.raises(NameError, message='Object not found'):
self.obj.__class__.load(self.namespace, self.obj.id)
7 changes: 7 additions & 0 deletions kqueen/blueprints/api/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -546,6 +546,13 @@ def get_policy_key(self):
policy_key = super().get_policy_key()
return '{}_{}'.format(policy_key, self.obj.role)

def dispatch_request(self, *args, **kwargs):
self.check_authentication()
if str(kwargs['pk']) == current_identity.id:
abort(400, "You can not delete yourself")

super().dispatch_request(*args, **kwargs)


api.add_url_rule('/users', view_func=ListUsers.as_view('user_list'))
api.add_url_rule('/users', view_func=CreateUser.as_view('user_create'))
Expand Down
1 change: 0 additions & 1 deletion setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@
'google-auth-httplib2==0.0.3',
'azure-common==1.1.9',
'azure-mgmt-containerservice==3.0.0',
'msrestazure==0.4.25',
'urllib3==1.22'
],
setup_requires=[
Expand Down

0 comments on commit 3699e87

Please sign in to comment.