Merge pull request #958 from scitran/disable-clear-perms

Add ability to remove permissions when disabling user

Merge pull request #958 from scitran/disable-clear-perms
1789f634 · Megan Henning · GitHub · 3b28d68e · 5611e109 · 1789f634
Unverified Commit 1789f634 authored 7 years ago by Megan Henning Committed by GitHub 7 years ago
--- a/api/handlers/userhandler.py
+++ b/api/handlers/userhandler.py
@@ -84,9 +84,12 @@ class UserHandler(base.RequestHandler):
        payload_schema_uri = validators.schema_uri('input', 'user-update.json')
        payload_validator = validators.from_schema_path(payload_schema_uri)
        payload_validator(payload, 'PUT')
+
        payload['modified'] = datetime.datetime.utcnow()
        result = mongo_validator(permchecker(self.storage.exec_op))('PUT', _id=_id, payload=payload)
        if result.modified_count == 1:
+            if payload.get('disabled', False) and self.is_true('clear_permissions'):
+                self._cleanup_user_permissions(_id)
            return {'modified': result.modified_count}
        else:
            self.abort(404, 'User {} not updated'.format(_id))
@@ -114,14 +117,13 @@ class UserHandler(base.RequestHandler):

    def _cleanup_user_permissions(self, uid):
        try:
-            config.db.collections.delete_many({'curator': uid})
-            config.db.groups.update_many({'permissions._id': uid}, {'$pull': {'permissions' : {'_id': uid}}})

            query = {'permissions._id': uid}
            update = {'$pull': {'permissions' : {'_id': uid}}}
-            config.db.projects.update_many(query, update)
-            config.db.sessions.update_many(query, update)
-            config.db.acquisitions.update_many(query, update)
+
+            for cont in ['collections', 'groups', 'projects', 'sessions', 'acquisitions']:
+                config.db[cont].update_many(query, update)
+
        except APIStorageException:
            self.abort(500, 'Site-wide user permissions for {} were unabled to be removed'.format(uid))


--- a/test/integration_tests/python/test_users.py
+++ b/test/integration_tests/python/test_users.py
-def test_users(as_root, as_admin, as_user, as_public):
+def test_users(data_builder, as_root, as_admin, as_user, as_public):
    # List users
    r = as_user.get('/users')
    assert r.ok
@@ -91,6 +91,22 @@ def test_users(as_root, as_admin, as_user, as_public):
    assert r.ok
    assert r.json()['modified'] == 1

+    # Disable user, test clear permissions
+    project = data_builder.create_project()
+    r = as_admin.post('/projects/' + project + '/permissions', json={
+        '_id': new_user_id_admin,
+        'access': 'ro'
+    })
+    assert r.ok
+
+    r = as_admin.put('/users/' + new_user_id_admin, json={'disabled': True}, params={'clear_permissions': 1})
+    assert r.ok
+    assert r.json()['modified'] == 1
+
+    permissions = as_admin.get('/projects/' + project).json().get('permissions', [])
+    for p in permissions:
+        assert p['_id'] != new_user_id_admin
+
    # Try to delete non-existent user
    r = as_root.delete('/users/nonexistent@user.com')
    assert r.status_code == 404