projects / osm / NBI.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 76d4b76)
Bug 2393 Fixed: Able to change password of other users with no admin privileges 96/14696/1
author37177 <adurti.v@tataelxsi.co.in>
Fri, 1 Nov 2024 08:55:59 +0000 (08:55 +0000)
committer37177 <adurti.v@tataelxsi.co.in>
Fri, 1 Nov 2024 08:55:59 +0000 (08:55 +0000)
Change-Id: I0df905358041df5c261d995c72a96972ae7b30d8
Signed-off-by: 37177 <adurti.v@tataelxsi.co.in>
osm_nbi/admin_topics.py patch | blob | history
osm_nbi/nbi.py patch | blob | history
osm_nbi/tests/test_admin_topics.py patch | blob | history

diff --git a/osm_nbi/admin_topics.py b/osm_nbi/admin_topics.py
index 46bddeb..8ca0b2d 100644 (file)
--- a/osm_nbi/admin_topics.py
+++ b/osm_nbi/admin_topics.py
@@ -1104,6 +1104,21 @@ class UserTopicAuth(UserTopic):
                         http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
                     )
 
+            # password change
+            if indata.get("password"):
+                if not session.get("admin_show"):
+                    if not indata.get("system_admin_id"):
+                        if _id != session["user_id"]:
+                            raise EngineException(
+                                "You are not allowed to change other users password",
+                                http_code=HTTPStatus.BAD_REQUEST,
+                            )
+                        if not indata.get("old_password"):
+                            raise EngineException(
+                                "Password change requires old password or admin ID",
+                                http_code=HTTPStatus.BAD_REQUEST,
+                            )
+
             # user = self.show(session, _id)   # Already in 'content'
             original_mapping = content["project_role_mappings"]
 
diff --git a/osm_nbi/nbi.py b/osm_nbi/nbi.py
index 1bb7927..1b03ea5 100644 (file)
--- a/osm_nbi/nbi.py
+++ b/osm_nbi/nbi.py
@@ -1512,6 +1512,7 @@ class Server(object):
             "username": token_info["username"],
             "user_id": token_info["user_id"],
             "admin": token_info["admin"],
+            "admin_show": token_info["admin_show"],
             "public": None,
             "allow_show_user_project_role": token_info["allow_show_user_project_role"],
         }
diff --git a/osm_nbi/tests/test_admin_topics.py b/osm_nbi/tests/test_admin_topics.py
index a4c4918..2ecdbf7 100755 (executable)
--- a/osm_nbi/tests/test_admin_topics.py
+++ b/osm_nbi/tests/test_admin_topics.py
@@ -927,6 +927,7 @@ class Test_UserTopicAuth(TestCase):
         pid1 = str(uuid4())
         rid1 = str(uuid4())
         self.fake_session["user_id"] = uid
+        self.fake_session["admin_show"] = True
         prms = [
             {
                 "project": pid1,