[PATCH 2 of 3 v3] users: add extra checks on editing the default user
Thomas De Schampheleire
patrickdepinguin at gmail.com
Wed Jun 3 16:05:54 EDT 2015
# HG changeset patch
# User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
# Date 1433359386 -7200
# Wed Jun 03 21:23:06 2015 +0200
# Node ID 6e18642dd51a2257cd0e8d05926a9244b37e0a70
# Parent 6a6119935ed636def910c4c4495ac2e4213d9ae7
users: add extra checks on editing the default user
There is no need to be able to edit e-mails or permissions of the default
user, so add the same checks as present in many other methods in the users
controller.
diff --git a/kallithea/controllers/admin/users.py b/kallithea/controllers/admin/users.py
--- a/kallithea/controllers/admin/users.py
+++ b/kallithea/controllers/admin/users.py
@@ -350,7 +350,7 @@ class UsersController(BaseController):
def update_perms(self, id):
"""PUT /users_perm/id: Update an existing item"""
# url('user_perm', id=ID, method='put')
- user = User.get_or_404(id)
+ user = self._get_user_or_raise_if_default(id)
try:
form = CustomDefaultPermissionsForm()()
@@ -403,7 +403,7 @@ class UsersController(BaseController):
def add_email(self, id):
"""POST /user_emails:Add an existing item"""
# url('user_emails', id=ID, method='put')
-
+ user = self._get_user_or_raise_if_default(id)
email = request.POST.get('new_email')
user_model = UserModel()
@@ -423,6 +423,7 @@ class UsersController(BaseController):
def delete_email(self, id):
"""DELETE /user_emails_delete/id: Delete an existing item"""
# url('user_emails_delete', id=ID, method='delete')
+ user = self._get_user_or_raise_if_default(id)
email_id = request.POST.get('del_email_id')
user_model = UserModel()
user_model.delete_extra_email(id, email_id)
diff --git a/kallithea/tests/functional/test_admin_users.py b/kallithea/tests/functional/test_admin_users.py
--- a/kallithea/tests/functional/test_admin_users.py
+++ b/kallithea/tests/functional/test_admin_users.py
@@ -563,12 +563,30 @@ class TestAdminUsersControllerForDefault
user = User.get_default_user()
response = self.app.get(url('edit_user_perms', id=user.user_id), status=404)
+ def test_update_perms_default_user(self):
+ self.log_user()
+ user = User.get_default_user()
+ response = self.app.post(url('edit_user_perms', id=user.user_id),
+ {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404)
+
# E-mails
def test_edit_emails_default_user(self):
self.log_user()
user = User.get_default_user()
response = self.app.get(url('edit_user_emails', id=user.user_id), status=404)
+ def test_add_emails_default_user(self):
+ self.log_user()
+ user = User.get_default_user()
+ response = self.app.post(url('edit_user_emails', id=user.user_id),
+ {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404)
+
+ def test_delete_emails_default_user(self):
+ self.log_user()
+ user = User.get_default_user()
+ response = self.app.post(url('edit_user_emails', id=user.user_id),
+ {'_method': 'delete', '_authentication_token': self.authentication_token()}, status=404)
+
# IP addresses
# Add/delete of IP addresses for the default user is used to maintain
# the global IP whitelist and thus allowed. Only 'edit' is forbidden.
More information about the kallithea-general
mailing list