root tag not needed to get another user's projects

c27b480e · Harsha Kethineni · 80218b84 · c27b480e · c27b480e
Commit c27b480e authored 7 years ago by Harsha Kethineni
--- a/api/handlers/containerhandler.py
+++ b/api/handlers/containerhandler.py
@@ -368,7 +368,7 @@ class ContainerHandler(base.RequestHandler):
        self.storage = self.config['storage']
        projection = self.config['list_projection']
        # select which permission filter will be applied to the list of results.
-        if self.superuser_request:
+        if self.superuser_request or self.user_is_admin:
            permchecker = always_ok
        elif self.public_request:
            self.abort(403, 'this request is not allowed')

--- a/test/integration_tests/python/test_users.py
+++ b/test/integration_tests/python/test_users.py
@@ -65,6 +65,14 @@ def test_users(as_root, as_admin, as_user, as_public):
    r = as_user.get('/users/' + new_user_id)
    assert r.ok

+    # Try getting another user's projects without admin priveledges
+    r = as_user.get('/users/' + new_user_id + '/projects')
+    assert r.status_code == 403
+
+    # Get another user's projects
+    r = as_admin.get('/users/' + new_user_id + '/projects')
+    assert r.ok
+
    # Try to update non-existent user
    r = as_root.put('/users/nonexistent@user.com', json={'firstname': 'Realname'})
    assert r.status_code == 404