Fix some bugs with the permissions API. Prevent the user from removing themelves as admin.

endpoints/api.py

@@ -153,8 +153,7 @@ def get_permissions(namespace, repository, username):
                (namespace, repository, username))
   permission = AdministerRepositoryPermission(namespace, repository)
   if permission.can():
-    user = current_user.db_user
-    perm = model.get_user_reponame_permission(user, namespace, repository)
+    perm = model.get_user_reponame_permission(username, namespace, repository)
     return jsonify(role_view(perm))
 
   abort(403)  # Permission denied
@@ -169,11 +168,15 @@ def change_permissions(namespace, repository, username):
   if permission.can():
     new_permission = request.get_json()
 
-    user = current_user.db_user
     logger.debug('Setting permission to: %s for user %s' %
                  (new_permission['role'], username))
-    perm = model.set_user_repo_permission(user, namespace, repository,
-                                          new_permission['role'])
+
+    try:
+      perm = model.set_user_repo_permission(username, namespace, repository,
+                                            new_permission['role'])
+    except model.DataModelException:
+      logger.warning('User tried to remove themselves as admin.')
+      abort(409)
 
     resp = jsonify(role_view(perm))
     if request.method == 'POST':
@@ -189,7 +192,12 @@ def change_permissions(namespace, repository, username):
 def delete_permissions(namespace, repository, username):
   permission = AdministerRepositoryPermission(namespace, repository)
   if permission.can():
-    model.delete_user_permission(current_user.db_user, namespace, repository)
+    try:
+      model.delete_user_permission(username, namespace, repository)
+    except model.DataModelException:
+      logger.warning('User tried to remove themselves as admin.')
+      abort(409)
+
     return make_response('Deleted', 204)
 
   abort(403)  # Permission denied