From be9e0c7bd184cf7624753c8166e51dbc858d3717 Mon Sep 17 00:00:00 2001
From: Stamatis Katsaounis <mokats@intracom-telecom.com>
Date: Tue, 28 Aug 2018 14:52:28 +0300
Subject: Allow only owner of tests and administrator to delete tests

JIRA: DOVETAIL-734

This patch prevents anonymous users and not-owners to delete tests of
others.

Change-Id: Iaaf1d79db05216963705ab29bd2627bb19f3294d
Signed-off-by: Stamatis Katsaounis <mokats@intracom-telecom.com>
---
 opnfv_testapi/resources/test_handlers.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'opnfv_testapi')

diff --git a/opnfv_testapi/resources/test_handlers.py b/opnfv_testapi/resources/test_handlers.py
index 82cf9ae..0cc60d5 100644
--- a/opnfv_testapi/resources/test_handlers.py
+++ b/opnfv_testapi/resources/test_handlers.py
@@ -145,9 +145,23 @@ class TestsGURHandler(GenericTestHandler):
             raise gen.Return('API response validation enabled')
 
     @swagger.operation(nickname="deleteTestById")
+    @web.asynchronous
+    @gen.coroutine
     def delete(self, test_id):
-        query = {'_id': objectid.ObjectId(test_id)}
-        self._delete(query=query)
+        curr_user = self.get_secure_cookie(auth_const.OPENID)
+        curr_user_role = self.get_secure_cookie(auth_const.ROLE)
+        if curr_user is not None:
+            query = {'_id': objectid.ObjectId(test_id)}
+            test_data = yield dbapi.db_find_one(self.table, query)
+            if not test_data:
+                raises.NotFound(message.not_found(self.table, query))
+            if curr_user == test_data['owner'] or \
+               curr_user_role.find('administrator') != -1:
+                self._delete(query=query)
+            else:
+                raises.Forbidden(message.no_auth())
+        else:
+            raises.Unauthorized(message.no_auth())
 
     @swagger.operation(nickname="updateTestById")
     @web.asynchronous
-- 
cgit 1.2.3-korg