fix(controller): allow only admins cluster access

Matthew Fisher · Matthew Fisher · commit 42e45a6a14c5 · 2014-04-15T12:52:38.000-07:00
Before, anyone was able to add clusters into Deis, which is a management
nightmare. Administrators of Deis should be the only ones capable
of adding new clusters to Deis.

fixes #696
diff --git a/controller/api/fixtures/tests.json b/controller/api/fixtures/tests.json
@@ -16,5 +16,23 @@
         "email": "autotest@opdemand.com",
         "date_joined": "2013-05-10T16:08:09.357Z"
     }
+},
+{
+    "pk": 8,
+    "model": "auth.user",
+    "fields": {
+        "username": "autotest2",
+        "first_name": "Otto",
+        "last_name": "Test",
+        "is_active": true,
+        "is_superuser": false,
+        "is_staff": false,
+        "last_login": "2013-05-10T16:08:09.357Z",
+        "groups": [],
+        "user_permissions": [],
+        "password": "pbkdf2_sha256$10000$5Uoq7dl61vnN$gQhDpc2q2Rkn16VdPC+pNNEQcKpy+LGe29Zkad+2/m4=",
+        "email": "autotest2@opdemand.com",
+        "date_joined": "2013-05-10T16:08:09.357Z"
+    }
 }
 ]
diff --git a/controller/api/tests/test_cluster.py b/controller/api/tests/test_cluster.py
@@ -25,7 +25,7 @@ def setUp(self):
 
     def test_cluster(self):
         """
-        Test that a user can create, read, update and delete a cluster
+        Test that an administrator can create, read, update and delete a cluster
         """
         url = '/api/clusters'
         options = {'key': 'val'}
@@ -56,3 +56,15 @@ def test_cluster(self):
         self.assertEqual(json.loads(response.data['options']), new_options)
         response = self.client.delete(url)
         self.assertEqual(response.status_code, 204)
+
+    def test_cluster_perms_denied(self):
+        """
+        Test that a user cannot make changes to a cluster
+        """
+        url = '/api/clusters'
+        options = {'key': 'val'}
+        self.client.login(username='autotest2', password='password')
+        body = {'id': 'autotest2', 'domain': 'autotest.local', 'type': 'mock',
+                'hosts': 'host1,host2', 'auth': 'base64string', 'options': options}
+        response = self.client.post(url, json.dumps(body), content_type='application/json')
+        self.assertEqual(response.status_code, 403)
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -188,7 +188,7 @@ class ClusterViewSet(viewsets.ModelViewSet):
 
     model = models.Cluster
     serializer_class = serializers.ClusterSerializer
-    permission_classes = (permissions.IsAuthenticated, IsAdminOrSafeMethod)
+    permission_classes = (permissions.IsAuthenticated, IsAdmin)
     lookup_field = 'id'
 
     def pre_save(self, obj):
