-
Notifications
You must be signed in to change notification settings - Fork 406
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Tighten ACL for user routes (#2929)
- Loading branch information
Showing
2 changed files
with
46 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1157,6 +1157,27 @@ def test_make_user_group_admin_success( | |
| ) | ||
|
|
||
|
|
||
| def test_make_user_group_admin_forbidden( | ||
| staff_client: FFAdminUser, | ||
| organisation: Organisation, | ||
| user_permission_group: UserPermissionGroup, | ||
| ): | ||
| # Given | ||
| another_user = FFAdminUser.objects.create(email="[email protected]") | ||
| another_user.add_organisation(organisation) | ||
| another_user.permission_groups.add(user_permission_group) | ||
| url = reverse( | ||
| "api-v1:organisations:make-user-group-admin", | ||
| args=[organisation.id, user_permission_group.id, another_user.id], | ||
| ) | ||
|
|
||
| # When | ||
| response = staff_client.post(url) | ||
|
|
||
| # Then | ||
| assert response.status_code == status.HTTP_403_FORBIDDEN | ||
|
|
||
|
|
||
| def test_remove_user_as_group_admin_user_does_not_belong_to_group( | ||
| admin_client, admin_user, organisation, user_permission_group | ||
| ): | ||
|
|
@@ -1202,6 +1223,27 @@ def test_remove_user_as_group_admin_success( | |
| ) | ||
|
|
||
|
|
||
| def test_remove_user_as_group_admin_forbidden( | ||
| staff_client: FFAdminUser, | ||
| organisation: Organisation, | ||
| user_permission_group: UserPermissionGroup, | ||
| ): | ||
| # Given | ||
| another_user = FFAdminUser.objects.create(email="[email protected]") | ||
| another_user.add_organisation(organisation) | ||
| another_user.permission_groups.add(user_permission_group) | ||
| another_user.make_group_admin(user_permission_group.id) | ||
| url = reverse( | ||
| "api-v1:organisations:remove-user-group-admin", | ||
| args=[organisation.id, user_permission_group.id, another_user.id], | ||
| ) | ||
|
|
||
| # When | ||
| response = staff_client.post(url) | ||
| # Then | ||
| assert response.status_code == status.HTTP_403_FORBIDDEN | ||
|
|
||
|
|
||
| def test_list_user_groups_as_group_admin(organisation, api_client): | ||
| # Given | ||
| user1 = FFAdminUser.objects.create(email="[email protected]") | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3732e67There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Successfully deployed to the following URLs:
docs – ./docs
docs-flagsmith.vercel.app
docs-git-main-flagsmith.vercel.app
docs.flagsmith.com
docs.bullet-train.io
3732e67There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Successfully deployed to the following URLs:
flagsmith-frontend-staging – ./frontend
flagsmith-staging-frontend.vercel.app
flagsmith-frontend-staging-flagsmith.vercel.app
staging.flagsmith.com
flagsmith-frontend-staging-git-main-flagsmith.vercel.app
3732e67There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Successfully deployed to the following URLs:
flagsmith-frontend-preview – ./frontend
flagsmith-frontend-preview-flagsmith.vercel.app
flagsmith-frontend-preview-git-main-flagsmith.vercel.app
flagsmith-frontend-production-native.vercel.app