From 746fae4efedd0e51909e8238e80a7d9c8b972612 Mon Sep 17 00:00:00 2001 From: Jakub Kadlčík Date: Jun 10 2019 09:46:50 +0000 Subject: [PATCH 1/2] [frontend] allow group members to delete all projects in the group See #779 Another possiblity would be to print an error message like this "This project is owned by who has exclusive permissions to delete it." But I feel like everybody in a group should be able to do whatever action for their group projects. --- diff --git a/frontend/coprs_frontend/coprs/logic/coprs_logic.py b/frontend/coprs_frontend/coprs/logic/coprs_logic.py index 8c446ad..729de11 100644 --- a/frontend/coprs_frontend/coprs/logic/coprs_logic.py +++ b/frontend/coprs_frontend/coprs/logic/coprs_logic.py @@ -368,10 +368,15 @@ class CoprsLogic(object): Raise InsufficientRightsException if given copr cant be deleted by given user. Return None otherwise. """ + if user.admin or user == copr.user: + return + + if copr.group: + return UsersLogic.raise_if_not_in_group(user, copr.group) + + raise exceptions.InsufficientRightsException( + "Only owners may delete their projects.") - if not user.admin and user != copr.user: - raise exceptions.InsufficientRightsException( - "Only owners may delete their projects.") class CoprPermissionsLogic(object): @classmethod From 2fa97a7f0f67eeffab0c07ac22e2fa09191a3f92 Mon Sep 17 00:00:00 2001 From: Jakub Kadlčík Date: Jun 10 2019 09:46:50 +0000 Subject: [PATCH 2/2] [frontend] do not consider permissions for project owner on group projects A user should not be able to remove a group project, that he originally created, if he is no long a member of the group. --- diff --git a/frontend/coprs_frontend/coprs/logic/coprs_logic.py b/frontend/coprs_frontend/coprs/logic/coprs_logic.py index 729de11..2c5dbab 100644 --- a/frontend/coprs_frontend/coprs/logic/coprs_logic.py +++ b/frontend/coprs_frontend/coprs/logic/coprs_logic.py @@ -368,12 +368,15 @@ class CoprsLogic(object): Raise InsufficientRightsException if given copr cant be deleted by given user. Return None otherwise. """ - if user.admin or user == copr.user: + if user.admin: return if copr.group: return UsersLogic.raise_if_not_in_group(user, copr.group) + if user == copr.user: + return + raise exceptions.InsufficientRightsException( "Only owners may delete their projects.") diff --git a/frontend/coprs_frontend/tests/test_logic/test_coprs_logic.py b/frontend/coprs_frontend/tests/test_logic/test_coprs_logic.py index 805c17b..b752abf 100644 --- a/frontend/coprs_frontend/tests/test_logic/test_coprs_logic.py +++ b/frontend/coprs_frontend/tests/test_logic/test_coprs_logic.py @@ -1,5 +1,6 @@ import json import datetime +import pytest from flask_whooshee import Whooshee @@ -9,10 +10,12 @@ from copr_common.enums import ActionTypeEnum from coprs import app from coprs.logic.actions_logic import ActionsLogic from coprs.logic.coprs_logic import CoprsLogic, CoprChrootsLogic +from coprs.logic.users_logic import UsersLogic from coprs import models from coprs.whoosheers import CoprWhoosheer from tests.coprs_test_case import CoprsTestCase +from coprs.exceptions import InsufficientRightsException class TestCoprsLogic(CoprsTestCase): @@ -70,6 +73,30 @@ class TestCoprsLogic(CoprsTestCase): assert obtained == expected + def test_raise_if_cant_delete(self, f_users, f_fas_groups, f_coprs): + # Project owner should be able to delete his project + CoprsLogic.raise_if_cant_delete(self.u2, self.c2) + + # Admin should be able to delete everything + CoprsLogic.raise_if_cant_delete(self.u1, self.c2) + + # A user can't remove someone else's project + with pytest.raises(InsufficientRightsException): + CoprsLogic.raise_if_cant_delete(self.u2, self.c1) + + # Group member should be able to remove group project + self.u2.openid_groups = {"fas_groups": ["somegroup"]} + self.u3.openid_groups = {"fas_groups": ["somegroup"]} + + self.c2.group = UsersLogic.get_group_by_fas_name_or_create("somegroup") + CoprsLogic.raise_if_cant_delete(self.u3, self.c2) + + # Once a member is kicked from a group, he can't delete + # a project even though he originally created it + self.u2.openid_groups = {"fas_groups": []} + with pytest.raises(InsufficientRightsException): + CoprsLogic.raise_if_cant_delete(self.u2, self.c2) + def test_copr_logic_add_sends_create_gpg_key_action(self, f_users, f_mock_chroots, f_db): name = u"project_1" selected_chroots = [self.mc1.name]