Merge pull request #1794 from normanjaeckel/LockoutProtextion
Added lockout protection, see #1452.
This commit is contained in:
commit
cad252cd2b
@ -105,6 +105,9 @@ class UserViewSet(ModelViewSet):
|
|||||||
# Check manager perms
|
# Check manager perms
|
||||||
if (request.user.has_perm('users.can_see_extra_data') and
|
if (request.user.has_perm('users.can_see_extra_data') and
|
||||||
request.user.has_perm('users.can_manage')):
|
request.user.has_perm('users.can_manage')):
|
||||||
|
if request.data.get('is_active') is False and self.get_object() == request.user:
|
||||||
|
# A user can not deactivate himself.
|
||||||
|
raise ValidationError({'detail': _('You can not deactivate yourself.')})
|
||||||
response = super().update(request, *args, **kwargs)
|
response = super().update(request, *args, **kwargs)
|
||||||
else:
|
else:
|
||||||
# Get user.
|
# Get user.
|
||||||
@ -134,6 +137,18 @@ class UserViewSet(ModelViewSet):
|
|||||||
response = Response(serializer.data)
|
response = Response(serializer.data)
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
def destroy(self, request, *args, **kwargs):
|
||||||
|
"""
|
||||||
|
Customized view endpoint to delete an user.
|
||||||
|
|
||||||
|
Ensures that no one can delete himself.
|
||||||
|
"""
|
||||||
|
instance = self.get_object()
|
||||||
|
if instance == self.request.user:
|
||||||
|
raise ValidationError({'detail': _('You can not delete yourself.')})
|
||||||
|
self.perform_destroy(instance)
|
||||||
|
return Response(status=status.HTTP_204_NO_CONTENT)
|
||||||
|
|
||||||
@detail_route(methods=['post'])
|
@detail_route(methods=['post'])
|
||||||
def reset_password(self, request, pk=None):
|
def reset_password(self, request, pk=None):
|
||||||
"""
|
"""
|
||||||
|
@ -112,6 +112,23 @@ class UserUpdate(TestCase):
|
|||||||
self.assertEqual(response.status_code, 200)
|
self.assertEqual(response.status_code, 200)
|
||||||
self.assertEqual(User.objects.get(pk=1).username, 'New name Ohy4eeyei5')
|
self.assertEqual(User.objects.get(pk=1).username, 'New name Ohy4eeyei5')
|
||||||
|
|
||||||
|
def test_update_deactivate_yourselfself(self):
|
||||||
|
"""
|
||||||
|
Tests that an user can not deactivate himself.
|
||||||
|
"""
|
||||||
|
admin_client = APIClient()
|
||||||
|
admin_client.login(username='admin', password='admin')
|
||||||
|
# This is the builtin user 'Administrator'. The pk is valid.
|
||||||
|
user_pk = 1
|
||||||
|
|
||||||
|
response = admin_client.patch(
|
||||||
|
reverse('user-detail', args=[user_pk]),
|
||||||
|
{'username': 'admin',
|
||||||
|
'is_active': False},
|
||||||
|
format='json')
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||||
|
|
||||||
|
|
||||||
class UserDelete(TestCase):
|
class UserDelete(TestCase):
|
||||||
"""
|
"""
|
||||||
@ -127,6 +144,16 @@ class UserDelete(TestCase):
|
|||||||
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
|
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
|
||||||
self.assertFalse(User.objects.filter(username='Test name bo3zieT3iefahng0ahqu').exists())
|
self.assertFalse(User.objects.filter(username='Test name bo3zieT3iefahng0ahqu').exists())
|
||||||
|
|
||||||
|
def test_delete_yourself(self):
|
||||||
|
admin_client = APIClient()
|
||||||
|
admin_client.login(username='admin', password='admin')
|
||||||
|
# This is the builtin user 'Administrator'. The pk is valid.
|
||||||
|
admin_user_pk = 1
|
||||||
|
|
||||||
|
response = admin_client.delete(reverse('user-detail', args=[admin_user_pk]))
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||||
|
|
||||||
|
|
||||||
class UserResetPassword(TestCase):
|
class UserResetPassword(TestCase):
|
||||||
"""
|
"""
|
||||||
|
Loading…
Reference in New Issue
Block a user