Change: restrict altering and creation of superusers to superusers
This commit is contained in:
shamoon
parent
475c231c6f
commit
1c2b06521e
@ -160,4 +160,23 @@ describe('UserEditDialogComponent', () => {
|
|||||||
})
|
})
|
||||||
expect(component.currentUserIsSuperUser).toBeTruthy()
|
expect(component.currentUserIsSuperUser).toBeTruthy()
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('should disable superuser option if current user is not superuser', () => {
|
||||||
|
const control: AbstractControl = component.objectForm.get('is_superuser')
|
||||||
|
permissionsService.initialize([], {
|
||||||
|
id: 99,
|
||||||
|
username: 'user99',
|
||||||
|
is_superuser: false,
|
||||||
|
})
|
||||||
|
component.ngOnInit()
|
||||||
|
expect(control.disabled).toBeTruthy()
|
||||||
|
|
||||||
|
permissionsService.initialize([], {
|
||||||
|
id: 99,
|
||||||
|
username: 'user99',
|
||||||
|
is_superuser: true,
|
||||||
|
})
|
||||||
|
component.ngOnInit()
|
||||||
|
expect(control.disabled).toBeFalsy()
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|||||||
@ -60,6 +60,11 @@ export class UserEditDialogComponent
|
|||||||
ngOnInit(): void {
|
ngOnInit(): void {
|
||||||
super.ngOnInit()
|
super.ngOnInit()
|
||||||
this.onToggleSuperUser()
|
this.onToggleSuperUser()
|
||||||
|
if (!this.currentUserIsSuperUser) {
|
||||||
|
this.objectForm.get('is_superuser').disable()
|
||||||
|
} else {
|
||||||
|
this.objectForm.get('is_superuser').enable()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
getCreateTitle() {
|
getCreateTitle() {
|
||||||
|
|||||||
@ -681,6 +681,80 @@ class TestApiUser(DirectoriesMixin, APITestCase):
|
|||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
|
def test_only_superusers_can_create_or_alter_superuser_status(self):
|
||||||
|
"""
|
||||||
|
GIVEN:
|
||||||
|
- Existing user account
|
||||||
|
WHEN:
|
||||||
|
- API request is made to add a user account with superuser status
|
||||||
|
- API request is made to change superuser status
|
||||||
|
THEN:
|
||||||
|
- Only superusers can change superuser status
|
||||||
|
"""
|
||||||
|
|
||||||
|
user1 = User.objects.create_user(username="user1")
|
||||||
|
user1.user_permissions.add(*Permission.objects.all())
|
||||||
|
user2 = User.objects.create_superuser(username="user2")
|
||||||
|
|
||||||
|
self.client.force_authenticate(user1)
|
||||||
|
|
||||||
|
response = self.client.patch(
|
||||||
|
f"{self.ENDPOINT}{user1.pk}/",
|
||||||
|
json.dumps(
|
||||||
|
{
|
||||||
|
"is_superuser": True,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
content_type="application/json",
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
|
response = self.client.post(
|
||||||
|
f"{self.ENDPOINT}",
|
||||||
|
json.dumps(
|
||||||
|
{
|
||||||
|
"username": "user3",
|
||||||
|
"is_superuser": True,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
content_type="application/json",
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
|
self.client.force_authenticate(user2)
|
||||||
|
|
||||||
|
response = self.client.patch(
|
||||||
|
f"{self.ENDPOINT}{user1.pk}/",
|
||||||
|
json.dumps(
|
||||||
|
{
|
||||||
|
"is_superuser": True,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
content_type="application/json",
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
|
||||||
|
returned_user1 = User.objects.get(pk=user1.pk)
|
||||||
|
self.assertEqual(returned_user1.is_superuser, True)
|
||||||
|
|
||||||
|
response = self.client.patch(
|
||||||
|
f"{self.ENDPOINT}{user1.pk}/",
|
||||||
|
json.dumps(
|
||||||
|
{
|
||||||
|
"is_superuser": False,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
content_type="application/json",
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
|
||||||
|
returned_user1 = User.objects.get(pk=user1.pk)
|
||||||
|
self.assertEqual(returned_user1.is_superuser, False)
|
||||||
|
|
||||||
|
|
||||||
class TestApiGroup(DirectoriesMixin, APITestCase):
|
class TestApiGroup(DirectoriesMixin, APITestCase):
|
||||||
ENDPOINT = "/api/groups/"
|
ENDPOINT = "/api/groups/"
|
||||||
|
|||||||
@ -109,6 +109,25 @@ class UserViewSet(ModelViewSet):
|
|||||||
filterset_class = UserFilterSet
|
filterset_class = UserFilterSet
|
||||||
ordering_fields = ("username",)
|
ordering_fields = ("username",)
|
||||||
|
|
||||||
|
def create(self, request, *args, **kwargs):
|
||||||
|
if not request.user.is_superuser and request.data.get("is_superuser") is True:
|
||||||
|
return HttpResponseForbidden(
|
||||||
|
"Superuser status can only be granted by a superuser",
|
||||||
|
)
|
||||||
|
return super().create(request, *args, **kwargs)
|
||||||
|
|
||||||
|
def update(self, request, *args, **kwargs):
|
||||||
|
user_to_update: User = self.get_object()
|
||||||
|
if (
|
||||||
|
not request.user.is_superuser
|
||||||
|
and request.data.get("is_superuser") is not None
|
||||||
|
and request.data.get("is_superuser") != user_to_update.is_superuser
|
||||||
|
):
|
||||||
|
return HttpResponseForbidden(
|
||||||
|
"Superuser status can only be changed by a superuser",
|
||||||
|
)
|
||||||
|
return super().update(request, *args, **kwargs)
|
||||||
|
|
||||||
@action(detail=True, methods=["post"])
|
@action(detail=True, methods=["post"])
|
||||||
def deactivate_totp(self, request, pk=None):
|
def deactivate_totp(self, request, pk=None):
|
||||||
request_user = request.user
|
request_user = request.user
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user