Skip to content

Commit

Permalink
[RHCLOUD-33414] - restrict the Custom default access group renaming (#…
Browse files Browse the repository at this point in the history 
…1383)

restrict the 'Custom default access' group from updating 'name' or 'description'
  • Loading branch information
@EvanCasey13
EvanCasey13 authored Jan 29, 2025
1 parent 53754bb commit 7c70108
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
14 changes: 14 additions & 0 deletions rbac/management/group/view.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,17 @@ def protect_system_groups(self, action, group=None):
error = {key: [_(message)]}
raise serializers.ValidationError(error)

def restrict_custom_default_group_renaming(self, request, group):
"""Restrict users from changing the name or description of the Custom default group."""
invalid_parameters = ["name", "description"]
if group.platform_default and request.method == "PUT":
invalid_fields = [field for field in invalid_parameters if field in request.data]
if invalid_fields:
key = "detail"
message = "Updating the name or description of 'Custom default group' is restricted"
error = {key: (message)}
raise serializers.ValidationError(error)

def protect_default_admin_group_roles(self, group):
"""Disallow default admin access roles from being updated."""
if group.admin_default:
Expand Down Expand Up @@ -446,9 +457,12 @@ def update(self, request, *args, **kwargs):
self.protect_system_groups("update")

group = self.get_object()

if not request.user.admin:
self.protect_group_with_user_access_admin_role(group.roles_with_access(), "update_group")

self.restrict_custom_default_group_renaming(request, group)

update_group = super().update(request=request, args=args, kwargs=kwargs)

if status.is_success(update_group.status_code):
Expand Down
11 changes: 11 additions & 0 deletions tests/management/group/test_view.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -755,6 +755,7 @@ def test_update_group_success(self, send_kafka_message, mock_request):
url = reverse("v1_management:group-detail", kwargs={"uuid": self.group.uuid})
client = APIClient()
response = client.put(url, test_data, format="json", **self.headers)

self.assertEqual(response.status_code, status.HTTP_200_OK)

self.assertIsNotNone(response.data.get("uuid"))
Expand Down Expand Up @@ -808,6 +809,16 @@ def test_update_default_group(self):
response = client.put(url, test_data, format="json", **self.headers)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)

def test_update_custom_default_group(self):
"""Test that Custom default group is protected from updates"""
customDefGroup = Group(name="customDefGroup", platform_default=True, system=False, tenant=self.tenant)
customDefGroup.save()
url = reverse("v1_management:group-detail", kwargs={"uuid": customDefGroup.uuid})
test_data = {"name": "new_name" + "_updated", "description": "new_description" + "_updated"}
client = APIClient()
response = client.put(url, test_data, format="json", **self.headers)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)

def test_update_admin_default_group(self):
"""Test that admin_default groups are protected from updates"""
url = reverse("v1_management:group-detail", kwargs={"uuid": self.adminGroup.uuid})
Expand Down

0 comments on commit 7c70108

Please sign in to comment.