Mercurial > kallithea

changeset 5168:4e076ea72052

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
users: add extra checks on editing the default user There is no need to be able to edit e-mails or permissions of the default user, so add the same checks as present in many other methods in the users controller.
author Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
date Wed, 03 Jun 2015 21:23:06 +0200
parents 8b35ec087464
children d7f13c2a28ba
files kallithea/controllers/admin/users.py kallithea/tests/functional/test_admin_users.py
diffstat 2 files changed, 21 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/admin/users.py	Wed Jun 03 21:25:38 2015 +0200
+++ b/kallithea/controllers/admin/users.py	Wed Jun 03 21:23:06 2015 +0200
@@ -350,7 +350,7 @@
     def update_perms(self, id):
         """PUT /users_perm/id: Update an existing item"""
         # url('user_perm', id=ID, method='put')
-        user = User.get_or_404(id)
+        user = self._get_user_or_raise_if_default(id)
 
         try:
             form = CustomDefaultPermissionsForm()()
@@ -403,7 +403,7 @@
     def add_email(self, id):
         """POST /user_emails:Add an existing item"""
         # url('user_emails', id=ID, method='put')
-
+        user = self._get_user_or_raise_if_default(id)
         email = request.POST.get('new_email')
         user_model = UserModel()
 
@@ -423,6 +423,7 @@
     def delete_email(self, id):
         """DELETE /user_emails_delete/id: Delete an existing item"""
         # url('user_emails_delete', id=ID, method='delete')
+        user = self._get_user_or_raise_if_default(id)
         email_id = request.POST.get('del_email_id')
         user_model = UserModel()
         user_model.delete_extra_email(id, email_id)
--- a/kallithea/tests/functional/test_admin_users.py	Wed Jun 03 21:25:38 2015 +0200
+++ b/kallithea/tests/functional/test_admin_users.py	Wed Jun 03 21:23:06 2015 +0200
@@ -563,12 +563,30 @@
         user = User.get_default_user()
         response = self.app.get(url('edit_user_perms', id=user.user_id), status=404)
 
+    def test_update_perms_default_user(self):
+        self.log_user()
+        user = User.get_default_user()
+        response = self.app.post(url('edit_user_perms', id=user.user_id),
+                 {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404)
+
     # E-mails
     def test_edit_emails_default_user(self):
         self.log_user()
         user = User.get_default_user()
         response = self.app.get(url('edit_user_emails', id=user.user_id), status=404)
 
+    def test_add_emails_default_user(self):
+        self.log_user()
+        user = User.get_default_user()
+        response = self.app.post(url('edit_user_emails', id=user.user_id),
+                 {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404)
+
+    def test_delete_emails_default_user(self):
+        self.log_user()
+        user = User.get_default_user()
+        response = self.app.post(url('edit_user_emails', id=user.user_id),
+                 {'_method': 'delete', '_authentication_token': self.authentication_token()}, status=404)
+
     # IP addresses
     # Add/delete of IP addresses for the default user is used to maintain
     # the global IP whitelist and thus allowed. Only 'edit' is forbidden.