From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Thu, 26 Sep 2019 14:47:33 +0000 (-0400)
Subject: 15656: Fix missing permission check.
X-Git-Tag: 2.0.0~189^2~1
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/55e5a470d6430d2026b94892112be6d985bcef09

15656: Fix missing permission check.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---

diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index 8999b3e14e..376be55ffb 100644
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -423,6 +423,10 @@ class Container < ArvadosModel
     current_user.andand.is_admin
   end
 
+  def permission_to_destroy
+    current_user.andand.is_admin
+  end
+
   def ensure_owner_uuid_is_permitted
     # validate_change ensures owner_uuid can't be changed at all --
     # except during create, which requires admin privileges. Checking
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 88fd5feb6a..5f17efc445 100644
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -980,6 +980,15 @@ class ContainerTest < ActiveSupport::TestCase
     end
   end
 
+  test "user cannot delete" do
+    set_user_from_auth :active
+    c, _ = minimal_new
+    assert_raises ArvadosModel::PermissionDeniedError do
+      c.destroy
+    end
+    assert Container.find_by_uuid(c.uuid)
+  end
+
   [
     {state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
     {state: Container::Cancelled},