summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Callaghan <dcallagh@redhat.com>2017-10-06 14:41:49 +1000
committerDan Callaghan <dcallagh@redhat.com>2017-10-12 06:29:04 +0000
commit902a75b0a1d1f0c8a92d522e83c3fab06969086d (patch)
tree763e22bd459d5c4dc2151170c1f606066509fc45
parent32416d9e38f34cf5cce899302667a39be28ed90e (diff)
disallow giving pools to deleted users
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py24
-rw-r--r--Server/bkr/server/pools.py2
2 files changed, 26 insertions, 0 deletions
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py
index 3ce770b..96d8a85 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py
@@ -568,6 +568,18 @@ class SystemPoolHTTPTest(DatabaseTestCase):
self.assertEquals(pool.owner.user_name, self.owner.user_name)
self.assertEquals(pool.access_policy.rules[0].everybody, True)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1498374
+ def test_cannot_create_system_pool_owned_by_deleted_user(self):
+ with session.begin():
+ self.owner.removed = datetime.datetime.utcnow()
+ s = requests.Session()
+ send_login(s)
+ response = post_json(get_server_base() + 'pools/', session=s,
+ data={'name': 'asdf', 'owner': {'user_name': self.owner.user_name}})
+ self.assertEquals(response.status_code, 400)
+ self.assertEquals(response.text,
+ 'System pool cannot be owned by deleted user %s' % self.owner.user_name)
+
def test_get_system_pool(self):
response = requests.get(get_server_base() +
'pools/%s/' % self.pool.name, headers={'Accept': 'application/json'})
@@ -622,6 +634,18 @@ class SystemPoolHTTPTest(DatabaseTestCase):
session.refresh(self.pool)
self.assertTrue(self.pool.name)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1498374
+ def test_cannot_change_system_pool_owner_to_deleted_user(self):
+ with session.begin():
+ self.user.removed = datetime.datetime.utcnow()
+ s = requests.Session()
+ send_login(s, user=self.owner, password=u'theowner')
+ response = patch_json(get_server_base() + 'pools/%s/' % self.pool.name,
+ session=s, data={'owner': {'user_name': self.user.user_name}})
+ self.assertEquals(response.status_code, 400)
+ self.assertEquals(response.text,
+ 'System pool cannot be owned by deleted user %s' % self.user.user_name)
+
def test_add_system_to_pool(self):
with session.begin():
other_system = data_setup.create_system(owner=self.owner)
diff --git a/Server/bkr/server/pools.py b/Server/bkr/server/pools.py
index d5c856b..fe1c102 100644
--- a/Server/bkr/server/pools.py
+++ b/Server/bkr/server/pools.py
@@ -111,6 +111,8 @@ def _get_owner(data):
owner = User.by_user_name(user_name)
if owner is None:
raise BadRequest400('No such user %s' % user_name)
+ if owner.removed:
+ raise BadRequest400('System pool cannot be owned by deleted user %s' % owner.user_name)
owner_type = 'user'
if group_name:
try: