User tenancy cannot be changed
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/commit/fb427584 Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/tree/fb427584 Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/diff/fb427584 Branch: refs/heads/master Commit: fb4275849b5f90a00c74e9538bd7903f7978f099 Parents: 3e23956 Author: nir-sopher <n...@qwilt.com> Authored: Mon Jun 26 16:22:11 2017 +0300 Committer: Jeremy Mitchell <mitchell...@gmail.com> Committed: Wed Jul 19 15:55:31 2017 -0600 ---------------------------------------------------------------------- traffic_ops/app/lib/API/User.pm | 10 ++++++++ traffic_ops/app/t/api/1.2/tenant_access.t | 34 +++++++++++++------------- 2 files changed, 27 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/fb427584/traffic_ops/app/lib/API/User.pm ---------------------------------------------------------------------- diff --git a/traffic_ops/app/lib/API/User.pm b/traffic_ops/app/lib/API/User.pm index 5b09d74..03372b8 100644 --- a/traffic_ops/app/lib/API/User.pm +++ b/traffic_ops/app/lib/API/User.pm @@ -184,6 +184,16 @@ sub update { #no access to target tenancy return $self->forbidden(); } + if (defined ($user->tenant_id) and $user->tenant_id != $tenant_id){ + #not allowing a tenant to be changed once not "none". + if (!defined($tenant_id) and $tenant_utils->is_root_tenant($tenants_data, $tenant_utils->current_user_tenant())) { + #however, as currently user deletion is not supported, a "root" tenant can + #move a user to undef tenant. + } + else{ + return $self->alert("User tenant cannot be changed."); + } + } my ( $is_valid, $result ) = $self->is_valid( $params, $user_id ); http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/fb427584/traffic_ops/app/t/api/1.2/tenant_access.t ---------------------------------------------------------------------- diff --git a/traffic_ops/app/t/api/1.2/tenant_access.t b/traffic_ops/app/t/api/1.2/tenant_access.t index b764502..2f5fce7 100644 --- a/traffic_ops/app/t/api/1.2/tenant_access.t +++ b/traffic_ops/app/t/api/1.2/tenant_access.t @@ -289,7 +289,7 @@ sub clear_tenant { #deleting the user - as the user do operations this is not so simple. We move it to the root tenant and the fixture cleanup will do my $json = decode_json( $t->get_ok('/api/1.2/users/'.$tenants_data->{$name}->{'admin_uid'})->tx->res->content->asset->slurp ); my $response = $json->{response}[0]; - $response->{"tenantId"} = get_tenant_id("root"); + $response->{"tenantId"} = undef; ok $t->put_ok('/api/1.2/users/'.$tenants_data->{$name}->{'admin_uid'} => {Accept => 'application/json'} => json => $response) ->status_is(200)->or( sub { diag $t->tx->res->content->asset->{content}; } ) , 'Success move user?'; @@ -424,22 +424,22 @@ sub test_user_resource_write_allow_access { , 'Success change user email: login tenant:'.$login_tenant.' resource tenant: '.$resource_tenant.'?'; #change the tenant to my tenant - $response2edit->{"tenantId"} = $tenants_data->{$login_tenant}->{'id'}; - ok $t->put_ok('/api/1.2/users/'.$new_userid => {Accept => 'application/json'} => json => $response2edit) - ->status_is(200)->or( sub { diag $t->tx->res->content->asset->{content}; } ) - ->json_is( "/response/username" => $response2edit->{"username"}) - ->json_is( "/response/email" => $response2edit->{"email"} ) - ->json_is( "/response/tenantId" => $response2edit->{"tenantId"}) - , 'Success change user tenant to login: login tenant:'.$login_tenant.' resource tenant: '.$resource_tenant.'?'; - - #change the tenant to his tenant - $response2edit->{"tenantId"} = $tenants_data->{$resource_tenant}->{'id'}; - ok $t->put_ok('/api/1.2/users/'.$new_userid => {Accept => 'application/json'} => json => $response2edit) - ->status_is(200)->or( sub { diag $t->tx->res->content->asset->{content}; } ) - ->json_is( "/response/username" => $response2edit->{"username"}) - ->json_is( "/response/email" => $response2edit->{"email"} ) - ->json_is( "/response/tenantId" => $response2edit->{"tenantId"}) - , 'Success change user tenant to orig: login tenant:'.$login_tenant.' resource tenant: '.$resource_tenant.'?'; + if ($resource_tenant eq "none" or $resource_tenant eq $login_tenant) { + $response2edit->{"tenantId"} = $tenants_data->{$login_tenant}->{'id'}; + ok $t->put_ok('/api/1.2/users/'.$new_userid => { Accept => 'application/json' } => json => $response2edit) + ->status_is(200)->or( sub { diag $t->tx->res->content->asset->{content}; } ) + ->json_is( "/response/username" => $response2edit->{"username"}) + ->json_is( "/response/email" => $response2edit->{"email"} ) + ->json_is( "/response/tenantId" => $response2edit->{"tenantId"}) + , 'Success change user tenant to login: login tenant:'.$login_tenant.' resource tenant: '.$resource_tenant.'?'; + } + else{ + $response2edit->{"tenantId"} = $tenants_data->{$login_tenant}->{'id'}; + ok $t->put_ok('/api/1.2/users/'.$new_userid => { Accept => 'application/json' } => json => $response2edit) + ->json_is( "/alerts/0/text" => "User tenant cannot be changed.") + ->status_is(400)->or( sub { diag $t->tx->res->content->asset->{content}; } ) + , 'Cannot change tenancy as it is not allowed: login tenant:'.$login_tenant.' resource tenant: '.$resource_tenant.'?'; + } logout_from_tenant_admin();
