Merge pull request #179 from mekanix/only-admin

Only admin can edit/delete other users

Author: mekanix

freenit/__init__.py

@@ -1 +1 @@
-__version__ = "0.3.18"
+__version__ = "0.3.19"

freenit/api/user/ldap.py

@@ -37,7 +37,13 @@ async def get(id, _: User = Depends(user_perms)) -> UserSafe:
         return user
 
     @staticmethod
-    async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSafe:
+    async def patch(
+        id, data: UserOptional, cur_user: User = Depends(user_perms)
+    ) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can edit other user's details"
+            )
         user = await User.get_by_uid(id)
         update = {
             field: getattr(data, field)
@@ -48,7 +54,11 @@ async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSa
         return user
 
     @staticmethod
-    async def delete(id, _: User = Depends(user_perms)) -> UserSafe:
+    async def delete(id, cur_user: User = Depends(user_perms)) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can delete other users"
+            )
         try:
             user = await User.get_by_uid(id)
             await user.destroy()

freenit/api/user/sql.py

@@ -43,7 +43,13 @@ async def get(id, _: User = Depends(user_perms)) -> UserSafe:
         return user
 
     @staticmethod
-    async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSafe:
+    async def patch(
+        id, data: UserOptional, cur_user: User = Depends(user_perms)
+    ) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can edit other user's details"
+            )
         if data.password:
             data.password = encrypt(data.password)
         try:
@@ -54,7 +60,11 @@ async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSa
         return user
 
     @staticmethod
-    async def delete(id, _: User = Depends(user_perms)) -> UserSafe:
+    async def delete(id, cur_user: User = Depends(user_perms)) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can delete other users"
+            )
         try:
             user = await User.objects.get(pk=id)
         except ormar.exceptions.NoMatch:
@@ -73,7 +83,9 @@ async def get(user: User = Depends(profile_perms)) -> UserSafe:
 
     @staticmethod
     @description("Edit my profile")
-    async def patch(data: UserOptional, user: User = Depends(profile_perms)) -> UserSafe:
+    async def patch(
+        data: UserOptional, user: User = Depends(profile_perms)
+    ) -> UserSafe:
         if data.password:
             data.password = encrypt(data.password)
         await user.patch(data)

tests/test_user.py

@@ -39,7 +39,7 @@ async def test_get_user_by_id(self, client):
         assert response.status_code == 200
 
     async def test_delete_user(self, client):
-        admin = factories.User()
+        admin = factories.User(admin=True)
         await admin.save()
         client.login(user=admin)
         user = factories.User()
@@ -48,7 +48,7 @@ async def test_delete_user(self, client):
         assert response.status_code == 200
 
     async def test_edit_user(self, client):
-        admin = factories.User()
+        admin = factories.User(admin=True)
         await admin.save()
         client.login(user=admin)
         data = {