SONAR-4411 Prevent self-deletion and default admin account deletion with the WS api

author Jean-Baptiste Vilain <jean-baptiste.vilain@sonarsource.com>

Mon, 24 Jun 2013 09:04:25 +0000 (11:04 +0200)

committer Jean-Baptiste Vilain <jean-baptiste.vilain@sonarsource.com>

Mon, 24 Jun 2013 09:04:25 +0000 (11:04 +0200)
author Jean-Baptiste Vilain <jean-baptiste.vilain@sonarsource.com>
Mon, 24 Jun 2013 09:04:25 +0000 (11:04 +0200)
committer Jean-Baptiste Vilain <jean-baptiste.vilain@sonarsource.com>
Mon, 24 Jun 2013 09:04:25 +0000 (11:04 +0200)
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/users_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/users_controller.rb

index e17b69b9948f96b6a0f584f406117df121e1ad4d..4f9a1cf304cce1a1a5c9e693cc0828346e55d097 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/users_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/users_controller.rb
@@ -61,6 +61,8 @@ class Api::UsersController < Api::ApiController
    # -- Example
    # curl -X POST -v -u admin:admin 'http://localhost:9000/api/users/create?login=user&password=user_pw&password_confirmation=user_pw'
    #
+  # since 3.7
+  #
    def create
      verify_post_request
      access_denied unless has_role?(:admin)
@@ -100,6 +102,8 @@ class Api::UsersController < Api::ApiController
    # -- Example
    # curl -X POST -v -u admin:admin 'http://localhost:9000/api/users/update?login=user&email=new_email'
    #
+  # since 3.7
+  #
    def update
      verify_post_request
      access_denied unless has_role?(:admin)
@@ -128,6 +132,8 @@ class Api::UsersController < Api::ApiController
    # -- Example
    # curl -X POST -v -u admin:admin 'http://localhost:9000/api/users/delete?login=user'
    #
+  # since 3.7
+  #
    def delete
      verify_post_request
      access_denied unless has_role?(:admin)
@@ -137,6 +143,8 @@ class Api::UsersController < Api::ApiController
  
      if user.nil?
        render_bad_request "Could not find user with login #{params[:login]}"
+    elsif user == current_user || user.login == 'admin'
+      render_bad_request "Cannot delete user #{params[:login]}"
      else
        if user.destroy
          render_success "Successfully deleted user #{params[:login]}"
author	Jean-Baptiste Vilain <jean-baptiste.vilain@sonarsource.com>
	Mon, 24 Jun 2013 09:04:25 +0000 (11:04 +0200)
committer	Jean-Baptiste Vilain <jean-baptiste.vilain@sonarsource.com>
	Mon, 24 Jun 2013 09:04:25 +0000 (11:04 +0200)