From 8829c47be81f2345fb7a66a78888e6788aa2e82a Mon Sep 17 00:00:00 2001
From: Benjamin Becker <benjamin.becker@dataport.de>
Date: Mon, 15 Mar 2021 11:28:53 +0000
Subject: [PATCH] blocks user_activity_list for non sysadmins

---
 ckanext/odsh/logic/auth.py           | 5 +++++
 ckanext/odsh/tests_tpsh/test_auth.py | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/ckanext/odsh/logic/auth.py b/ckanext/odsh/logic/auth.py
index d3b3b2a9..1bac994d 100644
--- a/ckanext/odsh/logic/auth.py
+++ b/ckanext/odsh/logic/auth.py
@@ -24,6 +24,10 @@ def allow_sysadmin_only(original_auth_function):
 def user_list(context, data_dict):
     pass
 
+@allow_sysadmin_only(get.user_activity_list)
+def user_activity_list(context, data_dict):
+    pass
+
 @allow_sysadmin_only(update.user_update)
 def user_update(context, data_dict):
     pass
@@ -39,6 +43,7 @@ def user_invite(context, data_dict):
 def get_auth_functions():
     return {
         "user_list": user_list,
+        "user_activity_list": user_activity_list,
         "user_update": user_update,
         "user_create": user_create,
         "user_invite": user_invite,
diff --git a/ckanext/odsh/tests_tpsh/test_auth.py b/ckanext/odsh/tests_tpsh/test_auth.py
index 0c2e0e89..a3a26768 100644
--- a/ckanext/odsh/tests_tpsh/test_auth.py
+++ b/ckanext/odsh/tests_tpsh/test_auth.py
@@ -22,6 +22,11 @@ class TestAuthorization:
         response = app.get(url)
         assert response.status_code == 403
         assert "Zugriff nicht erlaubt" in response
+
+        url = url_for("user.activity", id=username)
+        response = app.get(url)
+        assert response.status_code == 500
+
     
     def test_user_actions_not_accessible_by_regular_user(self):
         def assert_not_authorized(action, context, data_dict):
@@ -36,6 +41,7 @@ class TestAuthorization:
         assert_not_authorized("user_delete", {"user": username}, {"id": username})
         assert_not_authorized("user_create", {"user": username}, {"name": "foo"})
         assert_not_authorized("user_invite", {"user": username}, {})
+        assert_not_authorized("user_activity_list", {"user": username}, {"id": username})
     
     def test_user_list_accessible_for_sysadmin(self):
         adminuser = factories.Sysadmin()
-- 
GitLab