Skip to content

Commit 19fa201

Browse files
vtemianvtemian
committed
Test that a normal user can't delete another user's ssh key
1 parent c9786a5 commit 19fa201

File tree

2 files changed

+25
-4
lines changed

2 files changed

+25
-4
lines changed

integrations/api_admin_test.go

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,27 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
4747
// user1 is an admin user
4848
session := loginUser(t, "user1")
4949

50-
req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/99999")
50+
req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d", models.NonexistentID)
5151
session.MakeRequest(t, req, http.StatusNotFound)
5252
}
53+
54+
func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
55+
prepareTestEnv(t)
56+
adminUsername := "user1"
57+
normalUsername := "user2"
58+
session := loginUser(t, adminUsername)
59+
60+
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", adminUsername)
61+
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
62+
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
63+
"title": "test-key",
64+
})
65+
resp := session.MakeRequest(t, req, http.StatusCreated)
66+
var newPublicKey api.PublicKey
67+
DecodeJSON(t, resp, &newPublicKey)
68+
69+
session = loginUser(t, normalUsername)
70+
req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d",
71+
adminUsername, newPublicKey.ID)
72+
session.MakeRequest(t, req, http.StatusForbidden)
73+
}

routers/api/v1/admin/user.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,7 @@ func CreatePublicKey(ctx *context.APIContext, form api.CreateKeyOption) {
241241
func DeleteUserPublicKey(ctx *context.APIContext) {
242242
// swagger:operation DELETE /admin/users/{username}/keys/{id} admin adminDeleteUserPublicKey
243243
// ---
244-
// summary: Delete a user's public key on behalf of a user
244+
// summary: Delete a user's public key
245245
// produces:
246246
// - application/json
247247
// parameters:
@@ -252,8 +252,8 @@ func DeleteUserPublicKey(ctx *context.APIContext) {
252252
// required: true
253253
// - name: id
254254
// in: path
255-
// description: key's id to delete
256-
// type: string
255+
// description: id of the key to delete
256+
// type: integer
257257
// required: true
258258
// responses:
259259
// "204":

0 commit comments

Comments
 (0)