Merge pull request #1884 from adrianschroeter/user_lock

[api] add command to lock or delete users
openSUSE · Jun 20, 2016 · ebbc077 · ebbc077
2 parents f0b92e2 + c69e998
commit ebbc077
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 1 deletion.
diff --git a/ReleaseNotes-2.8 b/ReleaseNotes-2.8
@@ -29,6 +29,7 @@ Features
 
  * New obsservicedispatch service to handle source service runs in a queue
    and asynchron.
+ * Allow admins to lock or delete users and their home projects via new command
 
 Incompatible changes:
 =====================

diff --git a/docs/api/api/api.txt b/docs/api/api/api.txt
@@ -151,6 +151,8 @@ XmlResult: status
 
 Parameters:
   cmd: change_password
+  cmd: lock             # will lock the user and his home projects
+  cmd: delete           # will mark the user as deleted and remove her home projects
 
 GET /person/<userid>/token
 

diff --git a/src/api/app/controllers/person_controller.rb b/src/api/app/controllers/person_controller.rb
@@ -65,7 +65,22 @@ def post_userinfo
       render_ok
       return
     end
-    raise UnknownCommandError.new "Allowed commands are 'change_password'"
+    if params[:cmd] == "lock"
+      return unless require_admin
+      user = User.find_by_login!(params[:login])
+      user.lock!
+      render_ok
+      return
+    end
+    if params[:cmd] == "delete"
+      # maybe we should allow the users to delete themself?
+      return unless require_admin
+      user = User.find_by_login!(params[:login])
+      user.delete!
+      render_ok
+      return
+    end
+    raise UnknownCommandError.new "Allowed commands are 'change_password', 'lock' or 'delete', got #{params[:cmd]}"
   end
 
   def put_userinfo

diff --git a/src/api/app/models/user.rb b/src/api/app/models/user.rb
@@ -776,6 +776,28 @@ def has_local_permission?( perm_string, object )
     false
   end
 
+  def lock!
+    self.state = 'locked'
+    self.save!
+
+    # lock also all home projects to avoid unneccessary builds
+    Project.where("name like ?", "#{self.home_project_name}%").each do |prj|
+      next if prj.is_locked?
+      prj.lock("User account got locked")
+    end
+  end
+
+  def delete!
+    self.state = 'deleted'
+    self.save!
+
+    # wipe also all home projects
+    Project.where("name like ?", "#{self.home_project_name}%").each do |prj|
+      prj.commit_opts = { comment: "User account got deleted"}
+      prj.destroy
+    end
+  end
+
   def involved_projects_ids
     # just for maintainer for now.
     role = Role.rolecache['maintainer']

diff --git a/src/api/test/functional/person_controller_test.rb b/src/api/test/functional/person_controller_test.rb
@@ -284,6 +284,59 @@ def test_update_user_info
     assert_no_xml_tag :tag => 'person', :child => {:tag => 'globalrole', :content => "Admin"}
   end
 
+  def test_lock_user
+    login_king
+
+    user_xml = "<person>
+  <login>lost_guy</login>
+  <email>lonely_person@universe.com</email>
+  <realname>The Other Guy</realname>
+  <state>confirmed</state>
+</person>"
+
+    # create new user
+    put "/person/lost_guy", user_xml
+    assert_response :success
+
+    # create sub project of home
+    put "/source/home:lost_guy:subproject/_meta", '<project name="home:lost_guy:subproject"><title/><description/></project>'
+    assert_response :success
+
+    # only admins, not even the user itself can lock himself
+    login_Iggy
+    post "/person/lost_guy?cmd=lock", nil
+    assert_response 403
+    post "/person/lost_guy?cmd=delete", nil
+    assert_response 403
+
+    # but the admin can ...
+    login_king
+    post "/person/lost_guy?cmd=lock", nil
+    assert_response :success
+    get "/person/lost_guy"
+    assert_response :success
+    assert_xml_tag tag: "state", content: "locked"
+    get "/source/home:lost_guy:subproject/_meta"
+    assert_response :success
+    assert_xml_tag tag: "lock"
+    get "/source/home:lost_guy/_meta"
+    assert_response :success
+    assert_xml_tag tag: "lock"
+
+    # we can still delete the locked user
+    post "/person/lost_guy?cmd=delete", nil
+    assert_response :success
+    get "/person/lost_guy"
+    assert_response 404
+    get "/source/home:lost_guy:subproject/_meta"
+    assert_response 404
+    get "/source/home:lost_guy/_meta"
+    assert_response 404
+
+    # cleanup
+    User.current = User.find_by(login: 'lost_guy')
+  end
+
   def test_register_disabled
     c = ::Configuration.first
     c.registration = "deny"