Fix for unauthorized user edit

ckan · Apr 17, 2013 · 7a12178 · 7a12178
1 parent 48f37ef
commit 7a12178
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/ckan/logic/auth/update.py b/ckan/logic/auth/update.py
@@ -178,14 +178,18 @@ def group_edit_permissions(context, data_dict):
 
 def user_update(context, data_dict):
     user = context['user']
+    if not user and 'reset_key' not in data_dict:
+        return {'success': False,
+                'msg': _('Have to be logged in to edit user')}
+
     user_obj = logic_auth.get_user_object(context, data_dict)
     user_reset = ('reset_key' in data_dict and
                   data_dict['reset_key'] == user_obj.reset_key)
 
     if not (user == user_obj.name) and not user_reset:
         return {'success': False,
                 'msg': _('User %s not authorized to edit user %s') %
-                        (str(user), user_obj.id)}
+                        (user, user_obj.id)}
 
     return {'success': True}
 

diff --git a/ckan/tests/functional/test_user.py b/ckan/tests/functional/test_user.py
@@ -820,8 +820,9 @@ def test_user_edit_no_user(self):
 
     def test_user_edit_unknown_user(self):
         offset = url_for(controller='user', action='edit', id='unknown_person')
-        res = self.app.get(offset, status=404)
-        assert 'User not found' in res, res
+        res = self.app.get(offset, status=302) # redirect to login page
+        res = res.follow()
+        assert 'Login' in res, res
 
     def test_user_edit_not_logged_in(self):
         # create user