Prevent the user from revoking their own admin privileges.

2013-11-05 18:37:28 -05:00 · 2013-11-05 18:37:28 -05:00 · e3a3ce0f80
commit e3a3ce0f80
parent 91806ee252
2 changed files with 74 additions and 30 deletions
--- a/endpoints/api.py
+++ b/endpoints/api.py
@ -341,9 +341,13 @@ def update_organization_team(orgname, teamname):
        team.description = json['description']
        team.save()
      if 'role' in json:
-        team = model.set_team_org_permission(team, json['role'])
+        team = model.set_team_org_permission(team, json['role'],
+                                             current_user.db_user().username)
      
-    return jsonify(team_view(orgname, team))
+    resp = jsonify(team_view(orgname, team))
+    if not is_existing:
+      resp.status_code = 201
+    return resp

  abort(403)

@ -353,7 +357,7 @@ def update_organization_team(orgname, teamname):
 def delete_organization_team(orgname, teamname):
  permission = AdministerOrganizationPermission(orgname)
  if permission.can():
-    model.remove_team(orgname, teamname)
+    model.remove_team(orgname, teamname, current_user.db_user().username)
    return make_response('Deleted', 204)

  abort(403)
@ -415,22 +419,9 @@ def update_organization_team_member(orgname, teamname, membername):
 def delete_organization_team_member(orgname, teamname, membername):
  permission = AdministerOrganizationPermission(orgname)
  if permission.can():
-    team = None
-    user = None
-
-    # Find the team.
-    try:
-      team = model.get_organization_team(orgname, teamname)
-    except:
-      abort(404)
-
-    # Find the user.
-    user = model.get_user(membername)
-    if not user:
-      abort(400)
-      
    # Remote the user from the team.
-    model.remove_user_from_team(user, team)
+    invoking_user = current_user.db_user().username
+    model.remove_user_from_team(orgname, teamname, membername, invoking_user)
    return make_response('Deleted', 204)

  abort(403)