From 55e5a470d6430d2026b94892112be6d985bcef09 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Thu, 26 Sep 2019 10:47:33 -0400
Subject: [PATCH 1/1] 15656: Fix missing permission check.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---
 services/api/app/models/container.rb     | 4 ++++
 services/api/test/unit/container_test.rb | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index 8999b3e14e..376be55ffb 100644
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -423,6 +423,10 @@ class Container < ArvadosModel
     current_user.andand.is_admin
   end
 
+  def permission_to_destroy
+    current_user.andand.is_admin
+  end
+
   def ensure_owner_uuid_is_permitted
     # validate_change ensures owner_uuid can't be changed at all --
     # except during create, which requires admin privileges. Checking
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 88fd5feb6a..5f17efc445 100644
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -980,6 +980,15 @@ class ContainerTest < ActiveSupport::TestCase
     end
   end
 
+  test "user cannot delete" do
+    set_user_from_auth :active
+    c, _ = minimal_new
+    assert_raises ArvadosModel::PermissionDeniedError do
+      c.destroy
+    end
+    assert Container.find_by_uuid(c.uuid)
+  end
+
   [
     {state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
     {state: Container::Cancelled},
-- 
2.30.2