Added lockout protection, see #1452.

This commit is contained in:
Norman Jäckel 2016-01-09 11:59:34 +01:00
parent 6c33c60600
commit cb22071886
2 changed files with 42 additions and 0 deletions

View File

@ -105,6 +105,9 @@ class UserViewSet(ModelViewSet):
# Check manager perms
if (request.user.has_perm('users.can_see_extra_data') and
request.user.has_perm('users.can_manage')):
if request.data.get('is_active') is False and self.get_object() == request.user:
# A user can not deactivate himself.
raise ValidationError({'detail': _('You can not deactivate yourself.')})
response = super().update(request, *args, **kwargs)
else:
# Get user.
@ -134,6 +137,18 @@ class UserViewSet(ModelViewSet):
response = Response(serializer.data)
return response
def destroy(self, request, *args, **kwargs):
"""
Customized view endpoint to delete an user.
Ensures that no one can delete himself.
"""
instance = self.get_object()
if instance == self.request.user:
raise ValidationError({'detail': _('You can not delete yourself.')})
self.perform_destroy(instance)
return Response(status=status.HTTP_204_NO_CONTENT)
@detail_route(methods=['post'])
def reset_password(self, request, pk=None):
"""

View File

@ -112,6 +112,23 @@ class UserUpdate(TestCase):
self.assertEqual(response.status_code, 200)
self.assertEqual(User.objects.get(pk=1).username, 'New name Ohy4eeyei5')
def test_update_deactivate_yourselfself(self):
"""
Tests that an user can not deactivate himself.
"""
admin_client = APIClient()
admin_client.login(username='admin', password='admin')
# This is the builtin user 'Administrator'. The pk is valid.
user_pk = 1
response = admin_client.patch(
reverse('user-detail', args=[user_pk]),
{'username': 'admin',
'is_active': False},
format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
class UserDelete(TestCase):
"""
@ -127,6 +144,16 @@ class UserDelete(TestCase):
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
self.assertFalse(User.objects.filter(username='Test name bo3zieT3iefahng0ahqu').exists())
def test_delete_yourself(self):
admin_client = APIClient()
admin_client.login(username='admin', password='admin')
# This is the builtin user 'Administrator'. The pk is valid.
admin_user_pk = 1
response = admin_client.delete(reverse('user-detail', args=[admin_user_pk]))
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
class UserResetPassword(TestCase):
"""