Mercurial > kallithea
changeset 5168:4e076ea72052
users: add extra checks on editing the default user
There is no need to be able to edit e-mails or permissions of the default
user, so add the same checks as present in many other methods in the users
controller.
author | Thomas De Schampheleire <thomas.de.schampheleire@gmail.com> |
---|---|
date | Wed, 03 Jun 2015 21:23:06 +0200 |
parents | 8b35ec087464 |
children | d7f13c2a28ba |
files | kallithea/controllers/admin/users.py kallithea/tests/functional/test_admin_users.py |
diffstat | 2 files changed, 21 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/admin/users.py Wed Jun 03 21:25:38 2015 +0200 +++ b/kallithea/controllers/admin/users.py Wed Jun 03 21:23:06 2015 +0200 @@ -350,7 +350,7 @@ def update_perms(self, id): """PUT /users_perm/id: Update an existing item""" # url('user_perm', id=ID, method='put') - user = User.get_or_404(id) + user = self._get_user_or_raise_if_default(id) try: form = CustomDefaultPermissionsForm()() @@ -403,7 +403,7 @@ def add_email(self, id): """POST /user_emails:Add an existing item""" # url('user_emails', id=ID, method='put') - + user = self._get_user_or_raise_if_default(id) email = request.POST.get('new_email') user_model = UserModel() @@ -423,6 +423,7 @@ def delete_email(self, id): """DELETE /user_emails_delete/id: Delete an existing item""" # url('user_emails_delete', id=ID, method='delete') + user = self._get_user_or_raise_if_default(id) email_id = request.POST.get('del_email_id') user_model = UserModel() user_model.delete_extra_email(id, email_id)
--- a/kallithea/tests/functional/test_admin_users.py Wed Jun 03 21:25:38 2015 +0200 +++ b/kallithea/tests/functional/test_admin_users.py Wed Jun 03 21:23:06 2015 +0200 @@ -563,12 +563,30 @@ user = User.get_default_user() response = self.app.get(url('edit_user_perms', id=user.user_id), status=404) + def test_update_perms_default_user(self): + self.log_user() + user = User.get_default_user() + response = self.app.post(url('edit_user_perms', id=user.user_id), + {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404) + # E-mails def test_edit_emails_default_user(self): self.log_user() user = User.get_default_user() response = self.app.get(url('edit_user_emails', id=user.user_id), status=404) + def test_add_emails_default_user(self): + self.log_user() + user = User.get_default_user() + response = self.app.post(url('edit_user_emails', id=user.user_id), + {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404) + + def test_delete_emails_default_user(self): + self.log_user() + user = User.get_default_user() + response = self.app.post(url('edit_user_emails', id=user.user_id), + {'_method': 'delete', '_authentication_token': self.authentication_token()}, status=404) + # IP addresses # Add/delete of IP addresses for the default user is used to maintain # the global IP whitelist and thus allowed. Only 'edit' is forbidden.