From: Brett Smith <brett@curoverse.com>
Date: Mon, 21 Sep 2015 18:56:43 +0000 (-0400)
Subject: API server limits KeepService changes to admins.
X-Git-Tag: 1.1.0~1351
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/d37d7308827b4cc64272b5cc71f2adc4faf895a3

API server limits KeepService changes to admins.

Taking the same security policy that applies to disks and applying
them to services as well.  No issue #.
---

diff --git a/services/api/app/models/keep_service.rb b/services/api/app/models/keep_service.rb
index 6854ed2625..58055297a1 100644
--- a/services/api/app/models/keep_service.rb
+++ b/services/api/app/models/keep_service.rb
@@ -13,4 +13,13 @@ class KeepService < ArvadosModel
   api_accessible :superuser, :extend => :user do |t|
   end
 
+  protected
+
+  def permission_to_create
+    current_user.andand.is_admin
+  end
+
+  def permission_to_update
+    current_user.andand.is_admin
+  end
 end
diff --git a/services/api/test/unit/keep_service_test.rb b/services/api/test/unit/keep_service_test.rb
index 72c4f8ed02..8ca8c523d2 100644
--- a/services/api/test/unit/keep_service_test.rb
+++ b/services/api/test/unit/keep_service_test.rb
@@ -1,7 +1,33 @@
 require 'test_helper'
 
 class KeepServiceTest < ActiveSupport::TestCase
-  # test "the truth" do
-  #   assert true
-  # end
+  test "non-admins cannot create services" do
+    set_user_from_auth :active
+    ks = KeepService.new
+    assert_not_allowed do
+      ks.save
+    end
+  end
+
+  test "non-admins cannot update services" do
+    set_user_from_auth :active
+    ks = keep_services(:proxy)
+    ks.service_port = 64434
+    assert_not_allowed do
+      ks.save
+    end
+  end
+
+  test "admins can create services" do
+    set_user_from_auth :admin
+    ks = KeepService.new
+    assert(ks.save, "saving new service failed")
+  end
+
+  test "admins can update services" do
+    set_user_from_auth :admin
+    ks = keep_services(:proxy)
+    ks.service_port = 64434
+    assert(ks.save, "saving updated service failed")
+  end
 end