Prevent the user from revoking their own admin privileges.

This commit is contained in:
yackob03 2013-11-05 18:37:28 -05:00
parent 91806ee252
commit e3a3ce0f80
2 changed files with 74 additions and 30 deletions

View file

@ -112,15 +112,39 @@ def create_team(name, org, team_role_name, description=''):
description=description)
def remove_team(org_name, team_name):
found = list(Team.select().join(User).where(User.organization == True,
def __get_user_admin_teams(org_name, team_name, username):
Org = User.alias()
user_teams = Team.select().join(TeamMember).join(User)
with_org = user_teams.switch(Team).join(Org,
on=(Org.id == Team.organization))
with_role = with_org.switch(Team).join(TeamRole)
admin_teams = with_role.where(User.username == username,
Org.username == org_name,
TeamRole.name == 'admin')
return admin_teams
def remove_team(org_name, team_name, removed_by_username):
joined = Team.select(Team, TeamRole).join(User).switch(Team).join(TeamRole)
found = list(joined.where(User.organization == True,
User.username == org_name,
Team.name == team_name))
if not found:
raise InvalidTeamException('Team named: %s is not a team in org: %s' %
raise InvalidTeamException('Team \'%s\' is not a team in org \'%s\'' %
(team_name, org_name))
team = found[0]
if team.role.name == 'admin':
admin_teams = list(__get_user_admin_teams(org_name, team_name,
removed_by_username))
if len(admin_teams) <= 1:
# The team we are trying to remove is the only admin team for this user
msg = ('Deleting team \'%s\' would remove all admin from user \'%s\'' %
(team_name, removed_by_username))
raise DataModelException(msg)
team.delete_instance(recursive=True, delete_nullable=True)
@ -128,18 +152,47 @@ def add_user_to_team(user, team):
return TeamMember.create(user=user, team=team)
def remove_user_from_team(user, team):
try:
found = TeamMember.get(user=user, team=team)
found.delete_instance()
except TeamMember.DoesNotExist:
raise InvalidTeamException('User does not belong to team.')
def remove_user_from_team(org_name, team_name, username, removed_by_username):
Org = User.alias()
joined = TeamMember.select().join(User).switch(TeamMember).join(Team)
with_role = joined.join(TeamRole)
with_org = with_role.switch(Team).join(Org,
on=(Org.id == Team.organization))
found = list(with_org.where(User.username == username,
Org.username == org_name,
Team.name == team_name))
if not found:
raise DataModelException('User %s does not belong to team %s' %
(username, teamname))
if username == removed_by_username:
admin_team_query = __get_user_admin_teams(org_name, team_name, username)
admin_team_names = {team.name for team in admin_team_query}
if team_name in admin_team_names and len(admin_team_names) <= 1:
msg = 'User cannot remove themselves from their only admin team.'
raise DataModelException(msg)
user_in_team = found[0]
user_in_team.delete_instance()
def get_team_org_role(team):
return TeamRole.get(TeamRole.id == team.role.id)
def set_team_org_permission(team, team_role_name):
def set_team_org_permission(team, team_role_name, set_by_username):
if team.role.name == 'admin' and team_role_name != 'admin':
# We need to make sure we're not removing the users only admin role
user_admin_teams = __get_user_admin_teams(team.organization.username,
team.name, set_by_username)
admin_team_set = {admin_team.name for admin_team in user_admin_teams}
if team.name in admin_team_set and len(admin_team_set) <= 1:
msg = (('Cannot remove admin from team \'%s\' because calling user ' +
'would no longer have admin on org \'%s\'') %
(team.name, team.organization.username))
raise DataModelException(msg)
new_role = TeamRole.get(TeamRole.name == team_role_name)
team.role = new_role
team.save()

View file

@ -341,9 +341,13 @@ def update_organization_team(orgname, teamname):
team.description = json['description']
team.save()
if 'role' in json:
team = model.set_team_org_permission(team, json['role'])
team = model.set_team_org_permission(team, json['role'],
current_user.db_user().username)
return jsonify(team_view(orgname, team))
resp = jsonify(team_view(orgname, team))
if not is_existing:
resp.status_code = 201
return resp
abort(403)
@ -353,7 +357,7 @@ def update_organization_team(orgname, teamname):
def delete_organization_team(orgname, teamname):
permission = AdministerOrganizationPermission(orgname)
if permission.can():
model.remove_team(orgname, teamname)
model.remove_team(orgname, teamname, current_user.db_user().username)
return make_response('Deleted', 204)
abort(403)
@ -415,22 +419,9 @@ def update_organization_team_member(orgname, teamname, membername):
def delete_organization_team_member(orgname, teamname, membername):
permission = AdministerOrganizationPermission(orgname)
if permission.can():
team = None
user = None
# Find the team.
try:
team = model.get_organization_team(orgname, teamname)
except:
abort(404)
# Find the user.
user = model.get_user(membername)
if not user:
abort(400)
# Remote the user from the team.
model.remove_user_from_team(user, team)
invoking_user = current_user.db_user().username
model.remove_user_from_team(orgname, teamname, membername, invoking_user)
return make_response('Deleted', 204)
abort(403)