Skip to content

Commit

Permalink
Only superusers may list all users (#784)
Browse files Browse the repository at this point in the history
* Only superusers may list all users

* Fix tests
  • Loading branch information
andyhd authored Dec 2, 2019
1 parent 28fa16e commit 588adf1
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 26 deletions.
2 changes: 1 addition & 1 deletion controlpanel/api/rules.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ def is_self(user, other):
return user == other


add_perm('api.list_user', is_authenticated)
add_perm('api.list_user', is_authenticated & is_superuser)
add_perm('api.create_user', is_authenticated & is_superuser)
add_perm('api.retrieve_user', is_authenticated & is_self)
add_perm('api.update_user', is_authenticated & is_self)
Expand Down
36 changes: 15 additions & 21 deletions tests/api/filters/test_user_filter.py
Original file line number Diff line number Diff line change
@@ -1,29 +1,23 @@
from model_mommy import mommy
from rest_framework import status
from rest_framework.reverse import reverse
from rest_framework.status import HTTP_200_OK
from rest_framework.test import APITestCase


class UserFilterTest(APITestCase):
def user_list(client):
return client.get(reverse('user-list'))

def setUp(self):
self.superuser = mommy.make(
"api.User", is_superuser=True)
self.normal_user = mommy.make(
"api.User", is_superuser=False)

def test_superuser_sees_everything(self):
self.client.force_login(self.superuser)
def test_superuser_sees_everything(client, users):
client.force_login(users['superuser'])
response = user_list(client)
assert response.status_code == status.HTTP_200_OK

response = self.client.get(reverse("user-list"))
user_ids = [user["auth0_id"] for user in response.data["results"]]
self.assertEqual(len(user_ids), 2)
self.assertIn(self.superuser.auth0_id, user_ids)
self.assertIn(self.normal_user.auth0_id, user_ids)
all_user_ids = [user.auth0_id for key, user in users.items()]
returned_user_ids = [user["auth0_id"] for user in response.data["results"]]

def test_normal_user_sees_everything(self):
self.client.force_login(self.normal_user)
assert set(returned_user_ids) == set(all_user_ids)

response = self.client.get(reverse("user-list"))
self.assertEqual(HTTP_200_OK, response.status_code)
self.assertEqual(len(response.data["results"]), 2)

def test_normal_user_sees_nothing(client, users):
client.force_login(users['normal_user'])
response = user_list(client)
assert response.status_code == status.HTTP_403_FORBIDDEN
2 changes: 1 addition & 1 deletion tests/api/permissions/test_user_permissions.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ def user_update_self(client, users):
(user_create, "superuser", status.HTTP_201_CREATED),
(user_update, "superuser", status.HTTP_200_OK),
(user_list, "normal_user", status.HTTP_200_OK),
(user_list, "normal_user", status.HTTP_403_FORBIDDEN),
(user_detail, "normal_user", status.HTTP_403_FORBIDDEN),
(user_own_detail, "normal_user", status.HTTP_200_OK),
(user_delete, "normal_user", status.HTTP_403_FORBIDDEN),
Expand Down
2 changes: 1 addition & 1 deletion tests/api/test_authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ def make_request(**headers):
if value is not None:
filtered[header] = value
return client.get(
"/api/cpanel/v1/users",
"/api/cpanel/v1/apps",
follow=True,
**filtered,
)
Expand Down
3 changes: 1 addition & 2 deletions tests/frontend/views/test_user.py
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ def reset_mfa(client, users, *args):
'view,user,expected_status',
[
(list, 'superuser', status.HTTP_200_OK),
(list, 'normal_user', status.HTTP_200_OK),
(list, 'normal_user', status.HTTP_403_FORBIDDEN),
(delete, 'superuser', status.HTTP_302_FOUND),
(delete, 'normal_user', status.HTTP_403_FORBIDDEN),
Expand Down Expand Up @@ -72,7 +72,6 @@ def test_permission(client, users, view, user, expected_status):
'view,user,expected_count',
[
(list, 'superuser', 3),
(list, 'normal_user', 3),
],
)
def test_list(client, users, view, user, expected_count):
Expand Down

0 comments on commit 588adf1

Please sign in to comment.