blocks user_activity_list for non sysadmins

8829c47b · Benjamin Becker · 1c4d9979 · 8829c47b · 8829c47b
Commit 8829c47b authored 4 years ago by Benjamin Becker
--- a/ckanext/odsh/logic/auth.py
+++ b/ckanext/odsh/logic/auth.py
@@ -24,6 +24,10 @@ def allow_sysadmin_only(original_auth_function):
 def user_list(context, data_dict):
    pass
+@allow_sysadmin_only(get.user_activity_list)
+def user_activity_list(context, data_dict):
+    pass
 @allow_sysadmin_only(update.user_update)
 def user_update(context, data_dict):
    pass
@@ -39,6 +43,7 @@ def user_invite(context, data_dict):
 def get_auth_functions():
    return {
        "user_list": user_list,
+        "user_activity_list": user_activity_list,
        "user_update": user_update,
        "user_create": user_create,
        "user_invite": user_invite,

--- a/ckanext/odsh/tests_tpsh/test_auth.py
+++ b/ckanext/odsh/tests_tpsh/test_auth.py
@@ -23,6 +23,11 @@ class TestAuthorization:
        assert response.status_code == 403
        assert "Zugriff nicht erlaubt" in response
+        url = url_for("user.activity", id=username)
+        response = app.get(url)
+        assert response.status_code == 500
    def test_user_actions_not_accessible_by_regular_user(self):
        def assert_not_authorized(action, context, data_dict):
            with pytest.raises(NotAuthorized):
@@ -36,6 +41,7 @@ class TestAuthorization:
        assert_not_authorized("user_delete", {"user": username}, {"id": username})
        assert_not_authorized("user_create", {"user": username}, {"name": "foo"})
        assert_not_authorized("user_invite", {"user": username}, {})
+        assert_not_authorized("user_activity_list", {"user": username}, {"id": username})
    def test_user_list_accessible_for_sysadmin(self):
        adminuser = factories.Sysadmin()