organisations: validate modes update

This PR checks if current user can activate the `shared` or `dedicated` mode. Only super users can do this. * Adds a validation for `isShared` and `isDedicated` properties in marshmallow schema. * Closes #351. Co-Authored-by: Sébastien Délèze <[email protected]>
rero · Oct 21, 2020 · ccf3d47 · ccf3d47
1 parent e2e95cd
commit ccf3d47
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/sonar/modules/organisations/marshmallow/json.py b/sonar/modules/organisations/marshmallow/json.py
@@ -29,21 +29,34 @@
 
 from sonar.modules.organisations.api import OrganisationRecord
 from sonar.modules.organisations.permissions import OrganisationPermission
+from sonar.modules.permissions import has_superuser_access
 from sonar.modules.serializers import schema_from_context
 
 schema_from_organisation = partial(schema_from_context,
                                    schema=OrganisationRecord.schema)
 
 
+def can_activate_mode(value):
+    """Check if current user can activate `shared` or `dedicated` mode.
+
+    If the value is set to False, validation passed because the mode is not
+    activated.
+
+    :param value: Boolean value posted.
+    :returns: True if property can be modified
+    """
+    return not value or has_superuser_access()
+
+
 class OrganisationMetadataSchemaV1(StrictKeysMixin):
     """Schema for the organisation metadata."""
 
     pid = PersistentIdentifier()
     code = SanitizedUnicode(required=True)
     name = SanitizedUnicode(required=True)
     description = SanitizedUnicode()
-    isShared = fields.Boolean()
-    isDedicated = fields.Boolean()
+    isShared = fields.Boolean(validate=can_activate_mode)
+    isDedicated = fields.Boolean(validate=can_activate_mode)
     # When loading, if $schema is not provided, it's retrieved by
     # Record.schema property.
     schema = GenFunction(load_only=True,

diff --git a/tests/api/organisations/test_organisations_permissions.py b/tests/api/organisations/test_organisations_permissions.py
@@ -183,6 +183,8 @@ def test_update(client, make_organisation, superuser, admin, moderator,
     }
 
     org = make_organisation('org')
+    org['isShared'] = False
+    org['isDedicated'] = False
     org2 = make_organisation('org2')
 
     # Not logged
@@ -219,6 +221,14 @@ def test_update(client, make_organisation, superuser, admin, moderator,
                      headers=headers)
     assert res.status_code == 200
 
+    # Logged as admin and try to modify organisation's modes
+    org['isDedicated'] = True
+    org['isShared'] = True
+    res = client.put(url_for('invenio_records_rest.org_item', pid_value='org'),
+                     data=json.dumps(org.dumps()),
+                     headers=headers)
+    assert res.status_code == 400
+
     # Logged as admin of other organisation
     res = client.put(url_for('invenio_records_rest.org_item',
                              pid_value=org2['pid']),
@@ -227,6 +237,8 @@ def test_update(client, make_organisation, superuser, admin, moderator,
     assert res.status_code == 403
 
     # Logged as superuser
+    org['isDedicated'] = True
+    org['isShared'] = True
     login_user_via_session(client, email=superuser['email'])
     res = client.put(url_for('invenio_records_rest.org_item',
                              pid_value=org['pid']),