Bug 2393 Fixed: Able to change password of other users with no admin privileges

Change-Id: I0df905358041df5c261d995c72a96972ae7b30d8
Signed-off-by: 37177 <adurti.v@tataelxsi.co.in>
Signed-off-by: garciadeblas <gerardo.garciadeblas@telefonica.com>

osm_nbi/admin_topics.py

@@ -1104,6 +1104,21 @@ class UserTopicAuth(UserTopic):
                         http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
                     )
 
+            # password change
+            if indata.get("password"):
+                if not session.get("admin_show"):
+                    if not indata.get("system_admin_id"):
+                        if _id != session["user_id"]:
+                            raise EngineException(
+                                "You are not allowed to change other users password",
+                                http_code=HTTPStatus.BAD_REQUEST,
+                            )
+                        if not indata.get("old_password"):
+                            raise EngineException(
+                                "Password change requires old password or admin ID",
+                                http_code=HTTPStatus.BAD_REQUEST,
+                            )
+
             # user = self.show(session, _id)   # Already in 'content'
             original_mapping = content["project_role_mappings"]
 

osm_nbi/nbi.py

@@ -1512,6 +1512,7 @@ class Server(object):
             "username": token_info["username"],
             "user_id": token_info["user_id"],
             "admin": token_info["admin"],
+            "admin_show": token_info["admin_show"],
             "public": None,
             "allow_show_user_project_role": token_info["allow_show_user_project_role"],
         }

osm_nbi/tests/test_admin_topics.py

@@ -927,6 +927,7 @@ class Test_UserTopicAuth(TestCase):
         pid1 = str(uuid4())
         rid1 = str(uuid4())
         self.fake_session["user_id"] = uid
+        self.fake_session["admin_show"] = True
         prms = [
             {
                 "project": pid1,