summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Callaghan <dcallagh@redhat.com>2017-10-05 17:59:53 +1000
committerDan Callaghan <dcallagh@redhat.com>2017-10-12 06:28:29 +0000
commit6a3a93ff6e544b9251cc91a0534455a51f59b133 (patch)
tree347e94b338fa01df3c89213422a2b0f0c6c5e020
parentaa6ca48acf927d67e1870ba29088ee774b604741 (diff)
disallow lending systems to deleted users
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_system_loan.py21
-rw-r--r--Server/bkr/server/model/inventory.py2
2 files changed, 22 insertions, 1 deletions
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_loan.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_loan.py
index 9d04f43..b99ac26 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_loan.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_loan.py
@@ -5,11 +5,14 @@
# (at your option) any later version.
import unittest
+import datetime
+import requests
from selenium.webdriver.support.ui import WebDriverWait
from bkr.server.model import SystemActivity, System, SystemPermission
from bkr.inttest.server.selenium import WebDriverTestCase
+from bkr.inttest.server.requests_utils import login as requests_login, post_json
from bkr.inttest.server.webdriver_utils import login, logout
-from bkr.inttest import data_setup, with_transaction, get_server_base
+from bkr.inttest import data_setup, with_transaction, get_server_base, DatabaseTestCase
from turbogears.database import session
class SystemLoanTest(WebDriverTestCase):
@@ -255,3 +258,19 @@ class SystemLoanTest(WebDriverTestCase):
self.change_loan(u' jgillard', expect_success=False)
error = 'user name jgillard is invalid'
self.verify_loan_error(error)
+
+class SystemLoanHTTPTest(DatabaseTestCase):
+
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1497881
+ def test_cannot_lend_to_deleted_user(self):
+ with session.begin():
+ system = data_setup.create_system()
+ deleted_user = data_setup.create_user()
+ deleted_user.removed = datetime.datetime.utcnow()
+ s = requests.Session()
+ requests_login(s)
+ response = post_json(get_server_base() + 'systems/%s/loans/' % system.fqdn,
+ session=s, data={'recipient': {'user_name': deleted_user.user_name}})
+ self.assertEquals(response.status_code, 400)
+ self.assertEquals(response.text,
+ 'Cannot lend to deleted user %s' % deleted_user.user_name)
diff --git a/Server/bkr/server/model/inventory.py b/Server/bkr/server/model/inventory.py
index ecbc073..1303569 100644
--- a/Server/bkr/server/model/inventory.py
+++ b/Server/bkr/server/model/inventory.py
@@ -1107,6 +1107,8 @@ class System(DeclarativeMappedObject, ActivityMixin):
if not user:
# This is an error condition
raise ValueError('user name %s is invalid' % loaning_to)
+ if user.removed:
+ raise ValueError('Cannot lend to deleted user %s' % user.user_name)
if user == identity.current.user:
if not self.can_borrow(identity.current.user):
msg = '%s cannot borrow this system' % user