From c604dbd0f69be59b4d6fa246b86555617c0c8931 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 14 Apr 2016 17:39:45 -0400 Subject: [PATCH] Fix permissions when converting a user to an org Fixes #1366 --- data/model/organization.py | 31 +++++++++++++--------- static/directives/convert-user-to-org.html | 20 ++++++++------ test/test_api_usage.py | 14 ++++++++++ 3 files changed, 45 insertions(+), 20 deletions(-) diff --git a/data/model/organization.py b/data/model/organization.py index e83c6907e..a63b020cc 100644 --- a/data/model/organization.py +++ b/data/model/organization.py @@ -35,23 +35,30 @@ def get_organization(name): def convert_user_to_organization(user_obj, admin_user): - # Change the user to an organization. - user_obj.organization = True + if user_obj.robot: + raise DataModelException('Cannot convert a robot into an organization') - # disable this account for login. - user_obj.password_hash = None - user_obj.save() + with db_transaction(): + # Change the user to an organization and disable this account for login. + user_obj.organization = True + user_obj.password_hash = None + user_obj.save() - # Clear any federated auth pointing to this user - FederatedLogin.delete().where(FederatedLogin.user == user_obj).execute() + # Clear any federated auth pointing to this user. + FederatedLogin.delete().where(FederatedLogin.user == user_obj).execute() - # Create a team for the owners - owners_team = team.create_team('owners', user_obj, 'admin') + # Delete any user-specific permissions on repositories. + (RepositoryPermission.delete() + .where(RepositoryPermission.user == user_obj) + .execute()) - # Add the user who will admin the org to the owners team - team.add_user_to_team(admin_user, owners_team) + # Create a team for the owners + owners_team = team.create_team('owners', user_obj, 'admin') - return user_obj + # Add the user who will admin the org to the owners team + team.add_user_to_team(admin_user, owners_team) + + return user_obj def get_user_organizations(username): diff --git a/static/directives/convert-user-to-org.html b/static/directives/convert-user-to-org.html index 4ba2d356a..17de3c008 100644 --- a/static/directives/convert-user-to-org.html +++ b/static/directives/convert-user-to-org.html @@ -1,15 +1,19 @@
-
-
-
- Cannot convert this account into an organization, as it is a member of {{user.organizations.length}} other - organization{{user.organizations.length > 1 ? 's' : ''}}. Please leave - {{user.organizations.length > 1 ? 'those organizations' : 'that organization'}} first. -
+
+
+ Cannot convert this account into an organization, as it is a member of {{user.organizations.length}} other + organization{{user.organizations.length > 1 ? 's' : ''}}. Please leave + {{user.organizations.length > 1 ? 'those organizations' : 'that organization'}} first. + +
    +
  • + {{ org.name }} +
  • +
-
+
Note: Converting a user account into an organization cannot be undone
diff --git a/test/test_api_usage.py b/test/test_api_usage.py index 66e24df22..7f6e69c7c 100644 --- a/test/test_api_usage.py +++ b/test/test_api_usage.py @@ -417,6 +417,15 @@ class TestConvertToOrganization(ApiTestCase): def test_convert(self): self.login(READ_ACCESS_USER) + + # Add at least one permission for the read-user. + read_user = model.user.get_user(READ_ACCESS_USER) + simple_repo = model.repository.get_repository(ADMIN_ACCESS_USER, 'simple') + read_role = database.Role.get(name='read') + + database.RepositoryPermission.create(user=read_user, repository=simple_repo, role=read_role) + + # Convert the read user into an organization. json = self.postJsonResponse(ConvertToOrganization, data={'adminUser': ADMIN_ACCESS_USER, 'adminPassword': 'password', @@ -436,6 +445,11 @@ class TestConvertToOrganization(ApiTestCase): self.assertEquals(READ_ACCESS_USER, json['name']) self.assertEquals(True, json['is_admin']) + # Verify the now-org has no permissions. + count = (database.RepositoryPermission.select() + .where(database.RepositoryPermission.user == organization) + .count()) + self.assertEquals(0, count) def test_convert_via_email(self): self.login(READ_ACCESS_USER)