From 1c7a9ebd496807e3528aacac952602763d51f8e2 Mon Sep 17 00:00:00 2001
From: Aleksey Lim <alsroot@sugarlabs.org>
Date: Fri, 05 Oct 2012 14:08:30 +0000
Subject: Allow users changing their own metadata

---
diff --git a/sugar_network/node/commands.py b/sugar_network/node/commands.py
index 47d4c82..ae63305 100644
--- a/sugar_network/node/commands.py
+++ b/sugar_network/node/commands.py
@@ -95,10 +95,13 @@ class NodeCommands(VolumeCommands, Commands):
                     'User is not authenticated')
 
         if cmd.permissions & ad.ACCESS_AUTHOR and 'guid' in request:
-            doc = self.volume[request['document']].get(request['guid'])
-            enforce(request.principal in doc['user'] or
-                    auth.try_validate(request, 'root'), ad.Forbidden,
-                    'Operation is permitted only for authors')
+            if request['document'] == 'user':
+                allowed = (request.principal == request['guid'])
+            else:
+                doc = self.volume[request['document']].get(request['guid'])
+                allowed = (request.principal in doc['user'])
+            enforce(allowed or auth.try_validate(request, 'root'),
+                    ad.Forbidden, 'Operation is permitted only for authors')
 
         return cmd
 
diff --git a/tests/units/node.py b/tests/units/node.py
index 9a2689b..e0bd295 100755
--- a/tests/units/node.py
+++ b/tests/units/node.py
@@ -180,6 +180,23 @@ class NodeTest(tests.Test):
         call(cp, method='GET', cmd='probe1', document='document', guid=guid, principal='principal')
         call(cp, method='GET', cmd='probe2', document='document', guid=guid)
 
+    def test_ForbiddenCommandsForUserResource(self):
+        cp = NodeCommands(Volume('db', [User]))
+
+        call(cp, method='POST', document='user', principal='fake', content={
+            'name': 'user1',
+            'color': '',
+            'machine_sn': '',
+            'machine_uuid': '',
+            'pubkey': tests.PUBKEY,
+            })
+        self.assertEqual('user1', call(cp, method='GET', document='user', guid=tests.UID, prop='name'))
+
+        self.assertRaises(Unauthorized, call, cp, method='PUT', document='user', guid=tests.UID, content={'name': 'user2'})
+        self.assertRaises(ad.Forbidden, call, cp, method='PUT', document='user', guid=tests.UID, principal='fake', content={'name': 'user2'})
+        call(cp, method='PUT', document='user', guid=tests.UID, principal=tests.UID, content={'name': 'user2'})
+        self.assertEqual('user2', call(cp, method='GET', document='user', guid=tests.UID, prop='name'))
+
     def test_SetUser(self):
         cp = NodeCommands(Volume('db'))
 
--
cgit v0.9.1