vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Really disallow usage of the same account for an org as the one being converted. Before, you could do so via email.

Browse source
This commit is contained in:
Joseph Schorr 2015-04-29 20:30:37 -04:00
parent edd0ba4cdb
commit 60036927c9
2 changed files with 16 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
endpoints/api/user.py
View file

@ -444,19 +444,19 @@ class ConvertToOrganization(ApiResource):
user = get_authenticated_user()
convert_data = request.get_json()
# Ensure that the new admin user is the not user being converted.
admin_username = convert_data['adminUser']
if admin_username == user.username:
raise request_error(reason='invaliduser',
message='The admin user is not valid')
# Ensure that the sign in credentials work.
admin_username = convert_data['adminUser']
admin_password = convert_data['adminPassword']
(admin_user, error_message) = authentication.verify_user(admin_username, admin_password)
if not admin_user:
raise request_error(reason='invaliduser',
message='The admin user credentials are not valid')
# Ensure that the new admin user is the not user being converted.
if admin_user.id == user.id:
raise request_error(reason='invaliduser',
message='The admin user is not valid')
# Subscribe the organization to the new plan.
if features.BILLING:
plan = convert_data.get('plan', 'free')

10
test/test_api_usage.py
View file

@ -307,6 +307,16 @@ class TestConvertToOrganization(ApiTestCase):
self.assertEqual('The admin user is not valid', json['message'])
def test_sameadminuser_by_email(self):
self.login(READ_ACCESS_USER)
json = self.postJsonResponse(ConvertToOrganization,
data={'adminUser': 'no1@thanks.com',
'adminPassword': 'password',
'plan': 'free'},
expected_code=400)
self.assertEqual('The admin user is not valid', json['message'])
def test_invalidadminuser(self):
self.login(READ_ACCESS_USER)
json = self.postJsonResponse(ConvertToOrganization,