From d37d7308827b4cc64272b5cc71f2adc4faf895a3 Mon Sep 17 00:00:00 2001 From: Brett Smith Date: Mon, 21 Sep 2015 14:56:43 -0400 Subject: [PATCH] API server limits KeepService changes to admins. Taking the same security policy that applies to disks and applying them to services as well. No issue #. --- services/api/app/models/keep_service.rb | 9 ++++++ services/api/test/unit/keep_service_test.rb | 32 +++++++++++++++++++-- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/services/api/app/models/keep_service.rb b/services/api/app/models/keep_service.rb index 6854ed2625..58055297a1 100644 --- a/services/api/app/models/keep_service.rb +++ b/services/api/app/models/keep_service.rb @@ -13,4 +13,13 @@ class KeepService < ArvadosModel api_accessible :superuser, :extend => :user do |t| end + protected + + def permission_to_create + current_user.andand.is_admin + end + + def permission_to_update + current_user.andand.is_admin + end end diff --git a/services/api/test/unit/keep_service_test.rb b/services/api/test/unit/keep_service_test.rb index 72c4f8ed02..8ca8c523d2 100644 --- a/services/api/test/unit/keep_service_test.rb +++ b/services/api/test/unit/keep_service_test.rb @@ -1,7 +1,33 @@ require 'test_helper' class KeepServiceTest < ActiveSupport::TestCase - # test "the truth" do - # assert true - # end + test "non-admins cannot create services" do + set_user_from_auth :active + ks = KeepService.new + assert_not_allowed do + ks.save + end + end + + test "non-admins cannot update services" do + set_user_from_auth :active + ks = keep_services(:proxy) + ks.service_port = 64434 + assert_not_allowed do + ks.save + end + end + + test "admins can create services" do + set_user_from_auth :admin + ks = KeepService.new + assert(ks.save, "saving new service failed") + end + + test "admins can update services" do + set_user_from_auth :admin + ks = keep_services(:proxy) + ks.service_port = 64434 + assert(ks.save, "saving updated service failed") + end end -- 2.30.2