Merge pull request #4147 from Joshua-Anderson/admin-user-cancelation

feat(controller): allow admins to delete users

Author: Matthew Fisher

api/tests/test_auth.py

@@ -170,21 +170,31 @@ def test_cancel(self):
         """Test that a registered user can cancel her account."""
         # test registration workflow
         username, password = 'newuser', 'password'
-        first_name, last_name = 'Otto', 'Test'
-        email = 'autotest@deis.io'
         submit = {
             'username': username,
             'password': password,
-            'first_name': first_name,
-            'last_name': last_name,
-            'email': email,
+            'first_name': 'Otto',
+            'last_name': 'Test',
+            'email': 'autotest@deis.io',
             # try to abuse superuser/staff level perms
             'is_superuser': True,
             'is_staff': True,
         }
+
+        other_username, other_password = 'newuser2', 'password'
+        other_submit = {
+            'username': other_username,
+            'password': other_password,
+            'first_name': 'Test',
+            'last_name': 'Tester',
+            'email': 'autotest-2@deis.io',
+            'is_superuser': False,
+            'is_staff': False,
+        }
         url = '/v1/auth/register'
         response = self.client.post(url, json.dumps(submit), content_type='application/json')
         self.assertEqual(response.status_code, 201)
+
         # cancel the account
         url = '/v1/auth/cancel'
         user = User.objects.get(username=username)
@@ -193,6 +203,25 @@ def test_cancel(self):
                                       HTTP_AUTHORIZATION='token {}'.format(token))
         self.assertEqual(response.status_code, 204)
 
+        url = '/v1/auth/register'
+        response = self.client.post(url, json.dumps(other_submit), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+
+        # normal user can't delete another user
+        url = '/v1/auth/cancel'
+        other_user = User.objects.get(username=other_username)
+        other_token = Token.objects.get(user=other_user).key
+        response = self.client.delete(url, json.dumps({'username': self.admin.username}),
+                                      content_type='application/json',
+                                      HTTP_AUTHORIZATION='token {}'.format(other_token))
+        self.assertEqual(response.status_code, 403)
+
+        # admin can delete another user
+        response = self.client.delete(url, json.dumps({'username': other_username}),
+                                      content_type='application/json',
+                                      HTTP_AUTHORIZATION='token {}'.format(self.admin_token))
+        self.assertEqual(response.status_code, 204)
+
     def test_passwd(self):
         """Test that a registered user can change the password."""
         # test registration workflow

api/views.py

@@ -26,8 +26,7 @@ class UserRegistrationViewSet(GenericViewSet,
     serializer_class = serializers.UserSerializer
 
 
-class UserManagementViewSet(GenericViewSet,
-                            mixins.DestroyModelMixin):
+class UserManagementViewSet(GenericViewSet):
     serializer_class = serializers.UserSerializer
 
     def get_queryset(self):
@@ -36,6 +35,20 @@ def get_queryset(self):
     def get_object(self):
         return self.get_queryset()[0]
 
+    def destroy(self, request, **kwargs):
+        calling_obj = self.get_object()
+        target_obj = calling_obj
+
+        if request.data.get('username'):
+            # if you "accidentally" target yourself, that should be fine
+            if calling_obj.username == request.data['username'] or calling_obj.is_superuser:
+                target_obj = get_object_or_404(User, username=request.data['username'])
+            else:
+                raise PermissionDenied()
+
+        target_obj.delete()
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
     def passwd(self, request, **kwargs):
         caller_obj = self.get_object()
         target_obj = self.get_object()