summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Callaghan <dcallagh@redhat.com>2017-10-06 13:27:22 +1000
committerDan Callaghan <dcallagh@redhat.com>2017-10-12 06:28:29 +0000
commit58e6b2b4fa1df0d7600d57c1646e47a0def834ca (patch)
tree0586524baec8065b7fd57061506d325173e489b8
parent9c90d5581c3fd0cf8ee680882b97cde939a8f28d (diff)
disallow adding deleted users to groups
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py37
-rw-r--r--Server/bkr/server/group.py4
2 files changed, 40 insertions, 1 deletions
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py
index 7b9cf31..397123b 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py
@@ -4,12 +4,14 @@
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
+import datetime
import crypt
import requests
+import xmlrpclib
from turbogears.database import session
from bkr.server.model import Group, User, Activity, UserGroup, \
SystemPermission, GroupMembershipType
-from bkr.inttest.server.selenium import WebDriverTestCase
+from bkr.inttest.server.selenium import WebDriverTestCase, XmlRpcTestCase
from bkr.inttest import data_setup, get_server_base, with_transaction, \
mail_capture, DatabaseTestCase
from bkr.inttest.server.webdriver_utils import login, logout, \
@@ -1169,6 +1171,19 @@ class GroupHTTPTest(DatabaseTestCase):
self.assertIn("Cannot edit membership of group %s" %
ldap_group.group_name, response.text)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1497881
+ def test_cannot_add_deleted_account_as_member(self):
+ with session.begin():
+ deleted_user = data_setup.create_user()
+ deleted_user.removed = datetime.datetime.utcnow()
+ s = requests.Session()
+ requests_login(s)
+ response = post_json(get_server_base() + 'groups/%s/members/' % self.group.group_name,
+ session=s, data={'user_name': deleted_user.user_name})
+ self.assertEquals(response.status_code, 400)
+ self.assertEquals(response.text,
+ 'Cannot add deleted user %s to group' % deleted_user.user_name)
+
def test_can_add_member(self):
with session.begin():
user = data_setup.create_user(password=u'password')
@@ -1495,3 +1510,23 @@ class GroupHTTPTest(DatabaseTestCase):
self.assertEquals(self.inverted_group.activity[-1].field_name, 'User')
self.assertEquals(self.inverted_group.activity[-1].action, 'Re-added')
self.assertEquals(self.inverted_group.activity[-1].old_value, unicode(user))
+
+# There are no callers of the group XMLRPC methods left in Beaker itself, but
+# we still support the XMLRPC methods for older client versions and other
+# people's scripts, etc.
+class GroupXmlRpcTest(XmlRpcTestCase):
+
+ def setUp(self):
+ with session.begin():
+ self.owner = data_setup.create_user(password=u'owner')
+ self.group = data_setup.create_group(owner=self.owner)
+
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1497881
+ def test_cannot_add_deleted_account_as_member(self):
+ with session.begin():
+ deleted_user = data_setup.create_user()
+ deleted_user.removed = datetime.datetime.utcnow()
+ server = self.get_server()
+ server.auth.login_password(self.owner.user_name, u'owner')
+ with self.assertRaisesRegexp(xmlrpclib.Fault, 'Cannot add deleted user .* to group'):
+ server.groups.modify(self.group.group_name, {'add_member': deleted_user.user_name})
diff --git a/Server/bkr/server/group.py b/Server/bkr/server/group.py
index 1a0f0f7..7bc2857 100644
--- a/Server/bkr/server/group.py
+++ b/Server/bkr/server/group.py
@@ -255,6 +255,8 @@ class Groups(RPCRoot):
user = User.by_user_name(username)
if user is None:
raise BX(_(u'User does not exist %s' % username))
+ if user.removed:
+ raise BX(_(u'Cannot add deleted user %s to group' % user.user_name))
if user not in group.users:
group.add_member(user, service=u'XMLRPC',
@@ -607,6 +609,8 @@ def add_group_membership(group_name):
if 'user_name' not in data:
raise BadRequest400('User not specified')
user = _get_user_by_username(data['user_name'])
+ if user.removed:
+ raise BadRequest400('Cannot add deleted user %s to group' % user.user_name)
is_owner = data.get('is_owner', False)
if user not in group.users:
group.add_member(user, is_owner=is_owner, agent=identity.current.user)