From 76d4b765f629fa33904fb0d5ee42cfc9803e590a Mon Sep 17 00:00:00 2001
From: Adurti <adurti.v@tataelxsi.co.in>
Date: Tue, 7 May 2024 06:04:37 +0000
Subject: [PATCH] Bug 2351 Fixed: Able to Update user role even with project
 user role

Change-Id: I787b76f53219d24113dd3cb30ea3cafd18933d8f
Signed-off-by: Adurti <adurti.v@tataelxsi.co.in>
---
 osm_nbi/admin_topics.py            | 24 ++++++++++++++++++++++++
 osm_nbi/nbi.py                     |  1 +
 osm_nbi/tests/test_admin_topics.py |  9 +++++++++
 3 files changed, 34 insertions(+)

diff --git a/osm_nbi/admin_topics.py b/osm_nbi/admin_topics.py
index 02a9737..46bddeb 100644
--- a/osm_nbi/admin_topics.py
+++ b/osm_nbi/admin_topics.py
@@ -1079,6 +1079,30 @@ class UserTopicAuth(UserTopic):
                     indata["add_project_role_mappings"].append(
                         {"project": proj, "role": rid}
                     )
+            if (
+                indata.get("remove_project_role_mappings")
+                or indata.get("add_project_role_mappings")
+                or indata.get("project_role_mappings")
+            ):
+                user_details = self.db.get_one("users", {"_id": session.get("user_id")})
+                edit_role = False
+                for pr in user_details["project_role_mappings"]:
+                    role_id = pr.get("role")
+                    role_details = self.db.get_one("roles", {"_id": role_id})
+                    if role_details["permissions"].get("default"):
+                        if "roles" not in role_details["permissions"] or role_details[
+                            "permissions"
+                        ].get("roles"):
+                            edit_role = True
+                    elif role_details["permissions"].get("roles"):
+                        edit_role = True
+                if not edit_role:
+                    raise EngineException(
+                        "User {} has no privileges to edit or delete project-role mappings".format(
+                            session.get("username")
+                        ),
+                        http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
+                    )
 
             # user = self.show(session, _id)   # Already in 'content'
             original_mapping = content["project_role_mappings"]
diff --git a/osm_nbi/nbi.py b/osm_nbi/nbi.py
index d169cdd..1bb7927 100644
--- a/osm_nbi/nbi.py
+++ b/osm_nbi/nbi.py
@@ -1510,6 +1510,7 @@ class Server(object):
             "force": False,
             "project_id": (token_info["project_id"],),
             "username": token_info["username"],
+            "user_id": token_info["user_id"],
             "admin": token_info["admin"],
             "public": None,
             "allow_show_user_project_role": token_info["allow_show_user_project_role"],
diff --git a/osm_nbi/tests/test_admin_topics.py b/osm_nbi/tests/test_admin_topics.py
index 4da4d61..a4c4918 100755
--- a/osm_nbi/tests/test_admin_topics.py
+++ b/osm_nbi/tests/test_admin_topics.py
@@ -926,6 +926,7 @@ class Test_UserTopicAuth(TestCase):
         uid = str(uuid4())
         pid1 = str(uuid4())
         rid1 = str(uuid4())
+        self.fake_session["user_id"] = uid
         prms = [
             {
                 "project": pid1,
@@ -953,6 +954,14 @@ class Test_UserTopicAuth(TestCase):
                 {"_id": rid2, "name": "role-2"},
                 {"_id": rid1, "name": "role-1"},
             ]
+
+            role = {
+                "_id": rid1,
+                "name": "role-1",
+                "permissions": {"default": False, "admin": False, "roles": True},
+            }
+            self.db.create("users", user)
+            self.db.create("roles", role)
             new_name = "new-user-name"
             new_pasw = "New@pwd1"
             add_prms = [{"project": pid2, "role": rid2}]
-- 
2.25.1