diff options
| author | Aleksey Lim <alsroot@sugarlabs.org> | 2012-10-05 14:08:30 (GMT) |
|---|---|---|
| committer | Aleksey Lim <alsroot@sugarlabs.org> | 2012-10-05 14:08:30 (GMT) |
| commit | 1c7a9ebd496807e3528aacac952602763d51f8e2 (patch) | |
| tree | 96d93d055871cc1ea17de016a812042055e3ccaf | |
| parent | 37430cd6e8d348ca00e70f776c2c6321a43dd46a (diff) | |
Allow users changing their own metadata
| -rw-r--r-- | sugar_network/node/commands.py | 11 | ||||
| -rwxr-xr-x | tests/units/node.py | 17 |
2 files changed, 24 insertions, 4 deletions
diff --git a/sugar_network/node/commands.py b/sugar_network/node/commands.py index 47d4c82..ae63305 100644 --- a/sugar_network/node/commands.py +++ b/sugar_network/node/commands.py @@ -95,10 +95,13 @@ class NodeCommands(VolumeCommands, Commands): 'User is not authenticated') if cmd.permissions & ad.ACCESS_AUTHOR and 'guid' in request: - doc = self.volume[request['document']].get(request['guid']) - enforce(request.principal in doc['user'] or - auth.try_validate(request, 'root'), ad.Forbidden, - 'Operation is permitted only for authors') + if request['document'] == 'user': + allowed = (request.principal == request['guid']) + else: + doc = self.volume[request['document']].get(request['guid']) + allowed = (request.principal in doc['user']) + enforce(allowed or auth.try_validate(request, 'root'), + ad.Forbidden, 'Operation is permitted only for authors') return cmd diff --git a/tests/units/node.py b/tests/units/node.py index 9a2689b..e0bd295 100755 --- a/tests/units/node.py +++ b/tests/units/node.py @@ -180,6 +180,23 @@ class NodeTest(tests.Test): call(cp, method='GET', cmd='probe1', document='document', guid=guid, principal='principal') call(cp, method='GET', cmd='probe2', document='document', guid=guid) + def test_ForbiddenCommandsForUserResource(self): + cp = NodeCommands(Volume('db', [User])) + + call(cp, method='POST', document='user', principal='fake', content={ + 'name': 'user1', + 'color': '', + 'machine_sn': '', + 'machine_uuid': '', + 'pubkey': tests.PUBKEY, + }) + self.assertEqual('user1', call(cp, method='GET', document='user', guid=tests.UID, prop='name')) + + self.assertRaises(Unauthorized, call, cp, method='PUT', document='user', guid=tests.UID, content={'name': 'user2'}) + self.assertRaises(ad.Forbidden, call, cp, method='PUT', document='user', guid=tests.UID, principal='fake', content={'name': 'user2'}) + call(cp, method='PUT', document='user', guid=tests.UID, principal=tests.UID, content={'name': 'user2'}) + self.assertEqual('user2', call(cp, method='GET', document='user', guid=tests.UID, prop='name')) + def test_SetUser(self): cp = NodeCommands(Volume('db')) |