Added lockout protection, see #1452.
This commit is contained in:
parent
6c33c60600
commit
cb22071886
@ -105,6 +105,9 @@ class UserViewSet(ModelViewSet):
|
||||
# Check manager perms
|
||||
if (request.user.has_perm('users.can_see_extra_data') and
|
||||
request.user.has_perm('users.can_manage')):
|
||||
if request.data.get('is_active') is False and self.get_object() == request.user:
|
||||
# A user can not deactivate himself.
|
||||
raise ValidationError({'detail': _('You can not deactivate yourself.')})
|
||||
response = super().update(request, *args, **kwargs)
|
||||
else:
|
||||
# Get user.
|
||||
@ -134,6 +137,18 @@ class UserViewSet(ModelViewSet):
|
||||
response = Response(serializer.data)
|
||||
return response
|
||||
|
||||
def destroy(self, request, *args, **kwargs):
|
||||
"""
|
||||
Customized view endpoint to delete an user.
|
||||
|
||||
Ensures that no one can delete himself.
|
||||
"""
|
||||
instance = self.get_object()
|
||||
if instance == self.request.user:
|
||||
raise ValidationError({'detail': _('You can not delete yourself.')})
|
||||
self.perform_destroy(instance)
|
||||
return Response(status=status.HTTP_204_NO_CONTENT)
|
||||
|
||||
@detail_route(methods=['post'])
|
||||
def reset_password(self, request, pk=None):
|
||||
"""
|
||||
|
@ -112,6 +112,23 @@ class UserUpdate(TestCase):
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(User.objects.get(pk=1).username, 'New name Ohy4eeyei5')
|
||||
|
||||
def test_update_deactivate_yourselfself(self):
|
||||
"""
|
||||
Tests that an user can not deactivate himself.
|
||||
"""
|
||||
admin_client = APIClient()
|
||||
admin_client.login(username='admin', password='admin')
|
||||
# This is the builtin user 'Administrator'. The pk is valid.
|
||||
user_pk = 1
|
||||
|
||||
response = admin_client.patch(
|
||||
reverse('user-detail', args=[user_pk]),
|
||||
{'username': 'admin',
|
||||
'is_active': False},
|
||||
format='json')
|
||||
|
||||
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||
|
||||
|
||||
class UserDelete(TestCase):
|
||||
"""
|
||||
@ -127,6 +144,16 @@ class UserDelete(TestCase):
|
||||
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
|
||||
self.assertFalse(User.objects.filter(username='Test name bo3zieT3iefahng0ahqu').exists())
|
||||
|
||||
def test_delete_yourself(self):
|
||||
admin_client = APIClient()
|
||||
admin_client.login(username='admin', password='admin')
|
||||
# This is the builtin user 'Administrator'. The pk is valid.
|
||||
admin_user_pk = 1
|
||||
|
||||
response = admin_client.delete(reverse('user-detail', args=[admin_user_pk]))
|
||||
|
||||
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||
|
||||
|
||||
class UserResetPassword(TestCase):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user