server/users: let authorized users GET themselves

This commit is contained in:
rr- 2016-06-11 09:49:13 +02:00
parent b5aa3e75c4
commit 616854fb1b
2 changed files with 4 additions and 2 deletions

View file

@ -40,8 +40,9 @@ class UserListApi(BaseApi):
class UserDetailApi(BaseApi):
def get(self, ctx, user_name):
auth.verify_privilege(ctx.user, 'users:view')
user = users.get_user_by_name(user_name)
if ctx.user.user_id != user.user_id:
auth.verify_privilege(ctx.user, 'users:view')
return _serialize(ctx, user)
def put(self, ctx, user_name):

View file

@ -74,8 +74,9 @@ def test_trying_to_retrieve_single_non_existing(test_ctx):
'-')
def test_trying_to_retrieve_single_without_privileges(test_ctx):
db.session.add(test_ctx.user_factory(name='u1', rank=db.User.RANK_REGULAR))
with pytest.raises(errors.AuthError):
test_ctx.detail_api.get(
test_ctx.context_factory(
user=test_ctx.user_factory(rank=db.User.RANK_ANONYMOUS)),
'-')
'u1')