kallithea Changeset - 4e076ea72052

Changeset - 4e076ea72052

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Thomas De Schampheleire - 10 years ago 2015-06-03 21:23:06
thomas.de.schampheleire@gmail.com

users: add extra checks on editing the default user

There is no need to be able to edit e-mails or permissions of the default
user, so add the same checks as present in many other methods in the users
controller.

2 files changed with 21 insertions and 2 deletions:

kallithea/controllers/admin/users.py

kallithea/tests/functional/test_admin_users.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/users.py

➞

Show inline comments

@@ @@ -350,7 +350,7 @@ class UsersController(BaseController): @@
     def update_perms(self, id):
         """PUT /users_perm/id: Update an existing item"""
         # url('user_perm', id=ID, method='put')
-        user = User.get_or_404(id)
+        user = self._get_user_or_raise_if_default(id)
         try:
             form = CustomDefaultPermissionsForm()()
@@ @@ -403,7 +403,7 @@ class UsersController(BaseController): @@
     def add_email(self, id):
         """POST /user_emails:Add an existing item"""
         # url('user_emails', id=ID, method='put')
+        user = self._get_user_or_raise_if_default(id)
         email = request.POST.get('new_email')
         user_model = UserModel()
@@ @@ -423,6 +423,7 @@ class UsersController(BaseController): @@
     def delete_email(self, id):
         """DELETE /user_emails_delete/id: Delete an existing item"""
         # url('user_emails_delete', id=ID, method='delete')
         user = self._get_user_or_raise_if_default(id)
         email_id = request.POST.get('del_email_id')
         user_model = UserModel()
         user_model.delete_extra_email(id, email_id)

kallithea/tests/functional/test_admin_users.py

➞

Show inline comments

@@ @@ -563,12 +563,30 @@ class TestAdminUsersControllerForDefault @@
         user = User.get_default_user()
         response = self.app.get(url('edit_user_perms', id=user.user_id), status=404)
     def test_update_perms_default_user(self):
         self.log_user()
         user = User.get_default_user()
         response = self.app.post(url('edit_user_perms', id=user.user_id),
                  {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404)
     # E-mails
     def test_edit_emails_default_user(self):
         self.log_user()
         user = User.get_default_user()
         response = self.app.get(url('edit_user_emails', id=user.user_id), status=404)
     def test_add_emails_default_user(self):
         self.log_user()
         user = User.get_default_user()
         response = self.app.post(url('edit_user_emails', id=user.user_id),
                  {'_method': 'put', '_authentication_token': self.authentication_token()}, status=404)
     def test_delete_emails_default_user(self):
         self.log_user()
         user = User.get_default_user()
         response = self.app.post(url('edit_user_emails', id=user.user_id),
                  {'_method': 'delete', '_authentication_token': self.authentication_token()}, status=404)
     # IP addresses
     # Add/delete of IP addresses for the default user is used to maintain
     # the global IP whitelist and thus allowed. Only 'edit' is forbidden.

0 comments (0 inline, 0 general)