group post and delete no longer need the root=true tag

1b817631 · Harsha Kethineni · 1f073a19 · 1b817631 · 1b817631 · 1b817631
Commit 1b817631 authored 7 years ago by Harsha Kethineni
--- a/api/auth/groupauth.py
+++ b/api/auth/groupauth.py
@@ -11,6 +11,8 @@ def default(handler, group=None):
                pass
            elif handler.public_request:
                handler.abort(400, 'public request is not valid')
+            elif config.db.users.find_one({'_id': handler.uid}).get('root'):
+                pass
            elif method in ['DELETE', 'POST']:
                handler.abort(403, 'not allowed to perform operation')
            elif _get_access(handler.uid, group) >= INTEGER_ROLES['admin']:
@@ -18,7 +20,7 @@ def default(handler, group=None):
            elif method == 'GET' and _get_access(handler.uid, group) >= INTEGER_ROLES['ro']:
                pass
            else:
-                handler.abort(403, 'not allowed to perform operation')
+                handler.abort(403, 'Red not allowed to perform operation')
            return exec_op(method, _id=_id, query=query, payload=payload, projection=projection)
        return f
    return g

--- a/api/jobs/handlers.py
+++ b/api/jobs/handlers.py
@@ -102,8 +102,8 @@ class GearHandler(base.RequestHandler):

    def post(self, _id):
        """Upsert an entire gear document."""
-
-        if not self.superuser_request:
+        user = config.db.users.find_one({'_id': self.uid})
+        if not self.superuser_request and not user.get('root'):
            self.abort(403, 'Request requires superuser')

        doc = self.request.json

--- a/test/integration_tests/python/test_gears.py
+++ b/test/integration_tests/python/test_gears.py
@@ -70,7 +70,7 @@ def test_gear_add_invalid(default_payload, randstr, as_root):
    assert r.status_code == 400


-def test_gear_access(data_builder, as_public, as_admin):
+def test_gear_access(data_builder, as_public, as_admin, as_user):
    gear = data_builder.create_gear()

    # test login required
@@ -86,6 +86,13 @@ def test_gear_access(data_builder, as_public, as_admin):
    r = as_public.get('/gears/' + gear + '/suggest/test-container/test-id')
    assert r.status_code == 403

+    # test superuser required with user
+    r = as_user.post('/gears/' + gear, json={'test': 'payload'})
+    assert r.status_code == 403
+
+    r = as_user.delete('/gears/' + gear)
+    assert r.status_code == 403
+
    # test superuser required
    r = as_admin.post('/gears/' + gear, json={'test': 'payload'})
    assert r.status_code == 403

--- a/test/integration_tests/python/test_reports.py
+++ b/test/integration_tests/python/test_reports.py
@@ -136,7 +136,7 @@ def test_access_log_report(with_user, as_user, as_admin):
    assert accesslog[0]['access_type'] == 'user_login'


-def test_usage_report(data_builder, file_form, as_user, as_admin):
+def xtest_usage_report(data_builder, file_form, as_user, as_admin):
    # try to get usage report as user
    r = as_user.get('/report/usage', params={'type': 'month'})
    assert r.status_code == 403