OpenConceptLab/ocl_issues#1154 | Admin user can make another user adm…

…in or remove it (except self)
OpenConceptLab · Dec 13, 2021 · 1826120 · 1826120
1 parent 3ea6289
commit 1826120
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/core/integration_tests/tests_users.py b/core/integration_tests/tests_users.py
@@ -499,6 +499,14 @@ def test_put_204(self):
         self.assertFalse(self.user.is_staff)
         self.assertFalse(self.user.is_superuser)
 
+    def test_put_400(self):
+        response = self.client.put(
+            f'/users/{self.superuser.username}/staff/',
+            HTTP_AUTHORIZATION='Token ' + self.superuser.get_token(),
+            format='json'
+        )
+        self.assertEqual(response.status_code, 400)
+
 
 class UserExtrasViewTest(OCLAPITestCase):
     def setUp(self):

diff --git a/core/users/views.py b/core/users/views.py
@@ -15,6 +15,7 @@
 
 from core.common.constants import NOT_FOUND, MUST_SPECIFY_EXTRA_PARAM_IN_BODY, LAST_LOGIN_SINCE_PARAM, \
     LAST_LOGIN_BEFORE_PARAM, DATE_JOINED_SINCE_PARAM, DATE_JOINED_BEFORE_PARAM
+from core.common.exceptions import Http400
 from core.common.mixins import ListWithHeadersMixin
 from core.common.swagger_parameters import last_login_before_param, last_login_since_param, updated_since_param, \
     date_joined_since_param, date_joined_before_param
@@ -273,6 +274,8 @@ class UserStaffToggleView(UserBaseView, UpdateAPIView):
 
     def update(self, request, *args, **kwargs):
         user = self.get_object()
+        if user.username == self.request.user.username:
+            raise Http400()
         user.is_staff = not user.is_staff
         user.is_superuser = not user.is_superuser
         user.save()