Skip to content
Permalink
Browse files

Backend: Prevent a from disabling himself / Fix BE tests

  • Loading branch information...
p-se committed Jul 19, 2019
1 parent 6efc501 commit b729fba62a909ff6320df273d2c2763c09fa8c8a
Showing with 20 additions and 4 deletions.
  1. +15 −4 qa/tasks/mgr/dashboard/test_user.py
  2. +5 −0 src/pybind/mgr/dashboard/controllers/user.py
@@ -8,7 +8,7 @@
class UserTest(DashboardTestCase):

@classmethod
def _create_user(cls, username=None, password=None, name=None, email=None, roles=None):
def _create_user(cls, username=None, password=None, name=None, email=None, roles=None, enabled=True):
data = {}
if username:
data['username'] = username
@@ -20,6 +20,7 @@ def _create_user(cls, username=None, password=None, name=None, email=None, roles
data['email'] = email
if roles:
data['roles'] = roles
data['enabled'] = enabled
cls._post("/api/user", data)

def test_crud_user(self):
@@ -38,7 +39,8 @@ def test_crud_user(self):
'name': 'My Name',
'email': 'my@email.com',
'roles': ['administrator'],
'lastUpdate': user['lastUpdate']
'lastUpdate': user['lastUpdate'],
'enabled': True
})

self._put('/api/user/user1', {
@@ -53,7 +55,8 @@ def test_crud_user(self):
'name': 'My New Name',
'email': 'mynew@email.com',
'roles': ['block-manager'],
'lastUpdate': user['lastUpdate']
'lastUpdate': user['lastUpdate'],
'enabled': True
})

self._delete('/api/user/user1')
@@ -70,7 +73,8 @@ def test_list_users(self):
'name': None,
'email': None,
'roles': ['administrator'],
'lastUpdate': user['lastUpdate']
'lastUpdate': user['lastUpdate'],
'enabled': True
}])

def test_create_user_already_exists(self):
@@ -104,6 +108,13 @@ def test_delete_current_user(self):
self.assertError(code='cannot_delete_current_user',
component='user')

@DashboardTestCase.RunAs('test', 'test', [{'user': ['create', 'read', 'update', 'delete']}])
def test_disable_current_user(self):
self._put('/api/user/test', {'enabled': False})
self.assertStatus(400)
self.assertError(code='cannot_disable_current_user',
component='user')

def test_update_user_does_not_exist(self):
self._put('/api/user/user2', {'name': 'My New Name'})
self.assertStatus(404)
@@ -78,6 +78,11 @@ def delete(self, username):

def set(self, username, password=None, name=None, email=None, roles=None,
enabled=None):
if JwtManager.get_username() == username and enabled is False:
raise DashboardException(msg='You are not allowed to disable your user',
code='cannot_disable_current_user',
component='user')

try:
user = mgr.ACCESS_CTRL_DB.get_user(username)
except UserDoesNotExist:

0 comments on commit b729fba

Please sign in to comment.
You can’t perform that action at this time.