Added permission check to DELETE of nodes.

2017-07-13 17:08:43 +02:00 · 2017-07-13 17:08:43 +02:00 · bd13d89817
commit bd13d89817
parent 8a8f654657
3 changed files with 45 additions and 1 deletions
--- a/pillar/api/nodes/init.py
+++ b/pillar/api/nodes/init.py
@ -365,6 +365,10 @@ def nodes_set_default_picture(nodes):
        node_set_default_picture(node)


+def before_deleting_node(node: dict):
+    check_permissions('nodes', node, 'DELETE')
+
+
 def after_deleting_node(item):
    from pillar.celery import algolia_tasks
    algolia_tasks.algolia_index_node_delete.delay(str(item['_id']))
@ -415,6 +419,7 @@ def setup_app(app, url_prefix):

    app.on_update_nodes += convert_markdown

+    app.on_delete_item_nodes += before_deleting_node
    app.on_deleted_item_nodes += after_deleting_node

    app.register_api_blueprint(blueprint, url_prefix=url_prefix)
--- a/pillar/auth/init.py
+++ b/pillar/auth/init.py
@ -80,7 +80,7 @@ def config_login_manager(app):
    return login_manager


-def login_user(oauth_token, *, load_from_db=False):
+def login_user(oauth_token: str, *, load_from_db=False):
    """Log in the user identified by the given token."""

    if load_from_db:
--- a/tests/test_api/test_auth.py
+++ b/tests/test_api/test_auth.py
@ -484,6 +484,45 @@ class PermissionComputationTest(AbstractPillarTest):
                 'world': ['GET']},
                self.sort(compute_aggr_permissions('nodes', node, None)))

+    def test_delete_node(self):
+        self.enter_app_context()
+
+        proj_id, proj = self.ensure_project_exists()
+        self.create_user(user_id=24 * 'a', roles={'subscriber'},
+                         groups=[ctd.EXAMPLE_PROJECT_OWNER_ID])
+
+        node = copy.deepcopy(ctd.EXAMPLE_NODE)
+        node['project'] = proj_id
+        node_id = self.create_node(node)
+
+        # Try deletion by a user who is not part of the project.
+        self.create_user(user_id=6 * 'dafe', roles={'subscriber'}, token='dafe-token')
+        self.delete(f'/api/nodes/{node_id}',
+                    auth_token='dafe-token',
+                    etag=node['_etag'],
+                    expected_status=403)
+
+        found = self.app.db('nodes').find_one(node_id)
+        self.assertFalse(found.get('_deleted', False))
+
+    def test_delete_project(self):
+        self.enter_app_context()
+
+        proj_id, proj = self.ensure_project_exists()
+        self.create_user(user_id=24 * 'a', roles={'subscriber'},
+                         groups=[ctd.EXAMPLE_PROJECT_OWNER_ID])
+
+        # Try deletion by a user who is not part of the project.
+        self.create_user(user_id=6 * 'dafe', roles={'subscriber'}, token='dafe-token')
+        self.delete(f'/api/projects/{proj_id}',
+                    auth_token='dafe-token',
+                    etag=proj['_etag'],
+                    expected_status=403)
+
+        found = self.app.db('projects').find_one(proj_id)
+        self.assertIsNotNone(found)
+        self.assertFalse(found.get('_deleted', False))
+

 class RequireRolesTest(AbstractPillarTest):
    def test_no_roles_required(self):