API server limits KeepService changes to admins.

Taking the same security policy that applies to disks and applying
them to services as well.  No issue #.

diff --git a/services/api/app/models/keep_service.rb b/services/api/app/models/keep_service.rb
index 6854ed2625218c462f786ab960268a8be7708910..58055297a1cf9945f36d441562d3818997b4da3a 100644 (file)
--- a/services/api/app/models/keep_service.rb
+++ b/services/api/app/models/keep_service.rb
@@ -13,4 +13,13 @@ class KeepService < ArvadosModel
   api_accessible :superuser, :extend => :user do |t|
   end
 
+  protected
+
+  def permission_to_create
+    current_user.andand.is_admin
+  end
+
+  def permission_to_update
+    current_user.andand.is_admin
+  end
 end

diff --git a/services/api/test/unit/keep_service_test.rb b/services/api/test/unit/keep_service_test.rb
index 72c4f8ed0266361348a3cc113bbb8f7ce502452d..8ca8c523d2f0cfb3c844ebdebf2efc68d6608296 100644 (file)
--- a/services/api/test/unit/keep_service_test.rb
+++ b/services/api/test/unit/keep_service_test.rb
@@ -1,7 +1,33 @@
 require 'test_helper'
 
 class KeepServiceTest < ActiveSupport::TestCase
-  # test "the truth" do
-  #   assert true
-  # end
+  test "non-admins cannot create services" do
+    set_user_from_auth :active
+    ks = KeepService.new
+    assert_not_allowed do
+      ks.save
+    end
+  end
+
+  test "non-admins cannot update services" do
+    set_user_from_auth :active
+    ks = keep_services(:proxy)
+    ks.service_port = 64434
+    assert_not_allowed do
+      ks.save
+    end
+  end
+
+  test "admins can create services" do
+    set_user_from_auth :admin
+    ks = KeepService.new
+    assert(ks.save, "saving new service failed")
+  end
+
+  test "admins can update services" do
+    set_user_from_auth :admin
+    ks = keep_services(:proxy)
+    ks.service_port = 64434
+    assert(ks.save, "saving updated service failed")
+  end
 end