Merge pull request #3931 from rochacon/fix-keys-api-perms

Matthew Fisher · Matthew Fisher · commit 1bc6d2a0f9d8 · 2015-07-16T12:42:43.000-07:00
fix(controller): allow non superusers to manage their keys
diff --git a/controller/api/tests/test_key.py b/controller/api/tests/test_key.py
@@ -152,3 +152,13 @@ def test_rsa_key_str(self):
     def test_rsa_key_fingerprint(self):
         fp = fingerprint(RSA_PUBKEY)
         self.assertEquals(fp, '54:6d:da:1f:91:b5:2b:6f:a2:83:90:c4:f9:73:76:f5')
+
+    def test_key_api_with_non_superuser_rsa(self):
+        self.user = User.objects.get(username='autotest2')
+        self.token = self.user.auth_token.key
+        self._check_key(RSA_PUBKEY)
+
+    def test_key_api_with_non_superuser_ecdsa(self):
+        self.user = User.objects.get(username='autotest2')
+        self.token = self.user.auth_token.key
+        self._check_key(ECDSA_PUBKEY)
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -287,6 +287,7 @@ def get_object(self, **kwargs):
 class KeyViewSet(BaseDeisViewSet):
     """A viewset for interacting with Key objects."""
     model = models.Key
+    permission_classes = [IsAuthenticated, permissions.IsOwner]
     serializer_class = serializers.KeySerializer
 
 
