Authorization for UsersController#info

Change-Id: I3ffb250f4d78f00b9ae72f55e98745f9f306bc52
cloudfoundry-attic · Oct 27, 2011 · 36ef77e · 36ef77e
1 parent 939bf33
commit 36ef77e
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 2 deletions.
diff --git a/cloud_controller/app/controllers/users_controller.rb b/cloud_controller/app/controllers/users_controller.rb
@@ -44,8 +44,16 @@ def update
   end
 
   def info
-    # FIXME, make sure request matches logged in user!
-    render :json => { :email => user.email }
+    target_user = ::User.find_by_email(params['email'])
+    if target_user
+      if target_user.email == user.email || @current_user.admin?
+        render :json => { :email => target_user.email }
+      else
+        raise CloudError.new(CloudError::FORBIDDEN)
+      end
+    else
+      raise CloudError.new(CloudError::USER_NOT_FOUND)
+    end
   end
 
   def list

diff --git a/cloud_controller/spec/controllers/users_controller_spec.rb b/cloud_controller/spec/controllers/users_controller_spec.rb
@@ -8,6 +8,53 @@
     request.env["HTTP_AUTHORIZATION"] = ""
   end
 
+  describe "#info" do
+    it 'should return an user info as an user requesting for himself' do
+      User.find_by_email(@user.email).should_not be_nil
+      @user.admin?.should be_false
+      @user_headers.each {|key, value| request.env[key] = value}
+      get :info, {:email => @user.email}
+      response.status.should == 200
+      json = Yajl::Parser.parse(response.body)
+      json.should be_kind_of(Hash)
+      json['email'].should == @user.email
+    end
+
+    it 'should return an user info as an admin requesting for an existent user' do
+      User.find_by_email(@user.email).should_not be_nil
+      @admin.admin?.should be_true
+      @admin_headers.each {|key, value| request.env[key] = value}
+      get :info, {:email => @user.email}
+      response.status.should == 200
+      json = Yajl::Parser.parse(response.body)
+      json.should be_kind_of(Hash)
+      json['email'].should == @user.email
+    end
+
+    it 'should return an error as an admin requesting for a non-existent user' do
+      @admin.admin?.should be_true
+      @admin_headers.each {|key, value| request.env[key] = value}
+      get :info, {:email => 'non-existent@example.com'}
+      response.status.should == 403
+      json = Yajl::Parser.parse(response.body)
+      json.should be_kind_of(Hash)
+      json['code'].should == 201
+      json['description'].should == 'User not found'
+    end
+
+    it 'should return an error as a user requesting for another user' do
+      User.find_by_email(@user.email).should_not be_nil
+      @user.admin?.should be_false
+      @user_headers.each {|key, value| request.env[key] = value}
+      get :info, {:email => @admin.email}
+      response.status.should == 403
+      json = Yajl::Parser.parse(response.body)
+      json.should be_kind_of(Hash)
+      json['code'].should == 200
+      json['description'].should == 'Operation not permitted'
+    end
+  end
+
   describe "#list" do
     it 'should return 200 as an admin' do
       @admin.admin?.should be_true