Implement deleting user and changing user role (fixes #205) (#220)

* Implement user deletion and role change

* Fix email confirmation template

Author: DavidMStraub

gramps_webapi/api/resources/user.py

@@ -31,8 +31,10 @@
 from ...auth.const import (
     CLAIM_LIMITED_SCOPE,
     PERM_ADD_USER,
+    PERM_DEL_USER,
     PERM_EDIT_OTHER_USER,
     PERM_EDIT_OWN_USER,
+    PERM_EDIT_USER_ROLE,
     PERM_VIEW_OTHER_USER,
     ROLE_DISABLED,
     ROLE_UNCONFIRMED,
@@ -98,16 +100,25 @@ def get(self, user_name: str):
         return jsonify(details), 200
 
     @use_args(
-        {"email": fields.Str(required=False), "full_name": fields.Str(required=False),},
+        {
+            "email": fields.Str(required=False),
+            "full_name": fields.Str(required=False),
+            "role": fields.Int(required=False),
+        },
         location="json",
     )
     def put(self, args, user_name: str):
         """Update a user's details."""
         auth_provider, user_name = self.prepare_edit(user_name)
+        if "role" in args:
+            require_permissions([PERM_EDIT_USER_ROLE])
         auth_provider.modify_user(
-            name=user_name, email=args.get("email"), fullname=args.get("full_name")
+            name=user_name,
+            email=args.get("email"),
+            fullname=args.get("full_name"),
+            role=args.get("role"),
         )
-        return "", 201
+        return "", 200
 
     @use_args(
         {
@@ -139,6 +150,21 @@ def post(self, args, user_name: str):
             abort(409)
         return "", 201
 
+    def delete(self, user_name: str):
+        """Delete a user."""
+        if user_name == "-":
+            # Deleting the own user is currently not allowed
+            abort(404)
+        auth_provider = current_app.config.get("AUTH_PROVIDER")
+        if auth_provider is None:
+            abort(405)
+        require_permissions([PERM_DEL_USER])
+        try:
+            auth_provider.delete_user(name=user_name)
+        except ValueError:
+            abort(404)  # user not found
+        return "", 200
+
 
 class UserRegisterResource(Resource):
     """Resource for registering a new user."""

gramps_webapi/auth/const.py

@@ -33,6 +33,7 @@
 PERM_ADD_USER = "AddUser"
 PERM_EDIT_OWN_USER = "EditOwnUser"
 PERM_EDIT_OTHER_USER = "EditOtherUser"
+PERM_EDIT_USER_ROLE = "EditUserRole"
 PERM_VIEW_OTHER_USER = "ViewOtherUser"
 PERM_DEL_USER = "DeleteUser"
 PERM_VIEW_PRIVATE = "ViewPrivate"
@@ -46,6 +47,7 @@
         PERM_EDIT_OWN_USER,
         PERM_DEL_USER,
         PERM_EDIT_OTHER_USER,
+        PERM_EDIT_USER_ROLE,
         PERM_VIEW_OTHER_USER,
         PERM_VIEW_PRIVATE,
         PERM_EDIT_OBJ,

gramps_webapi/data/apispec.yaml

@@ -208,11 +208,16 @@ paths:
             full_name:
               description: "The new user's full name."
               type: string
+            role:
+              description: "An integer user role ID."
+              type: number
       responses:
         200:
           description: "OK: Successful operation."
         401:
           description: "Unauthorized: Missing authorization header."
+        403:
+          description: "Unauthorized: insufficient permissions."
         404:
           description: "Not found: User does not exist."
         422:
@@ -251,6 +256,27 @@ paths:
           description: "Conflict: user already exists."
         422:
           description: "Unprocessable Entity: Invalid token."
+    delete:
+      tags:
+      - users
+      summary: "Delete the user."
+      operationId: deleteUser
+      security:
+        - Bearer: []
+      responses:
+        200:
+          description: "OK: Successful operation."
+        400:
+          description: "Bad Request: Malformed request could not be parsed."
+        401:
+          description: "Unauthorized: Missing authorization header."
+        403:
+          description: "Unauthorized: insufficient permissions."
+        404:
+          description: "Not found: user does not exist."
+        422:
+          description: "Unprocessable Entity: Invalid or bad parameter provided."
+
 
   /users/{user_name}/register/:
     post:

gramps_webapi/templates/confirmation.html

@@ -2,7 +2,7 @@
 {% block title %}{{title}}{% endblock %}
 
 {% block main %}
-<div id="success" class="success" style="display:none;">
+<div id="success" class="success">
   <img width="200" src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiA/PjxzdmcgaWQ9IkxheWVyXzEiIHN0eWxlPSJlbmFibGUtYmFja2dyb3VuZDpuZXcgMCAwIDYxMiA3OTI7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCA2MTIgNzkyIiB4bWw6c3BhY2U9InByZXNlcnZlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj48c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiM0MUFENDk7fQo8L3N0eWxlPjxnPjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik01NjIsMzk2YzAtMTQxLjQtMTE0LjYtMjU2LTI1Ni0yNTZTNTAsMjU0LjYsNTAsMzk2czExNC42LDI1NiwyNTYsMjU2UzU2Miw1MzcuNCw1NjIsMzk2TDU2MiwzOTZ6ICAgIE01MDEuNywyOTYuM2wtMjQxLDI0MWwwLDBsLTE3LjIsMTcuMkwxMTAuMyw0MjEuM2w1OC44LTU4LjhsNzQuNSw3NC41bDE5OS40LTE5OS40TDUwMS43LDI5Ni4zTDUwMS43LDI5Ni4zeiIvPjwvZz48L3N2Zz4=">
   <div>{{message}}</div>
 </div>

tests/test_endpoints/test_user.py

@@ -319,7 +319,7 @@ def test_edit_user(self):
             headers={"Authorization": "Bearer {}".format(token_user)},
             json={"full_name": "My Name"},
         )
-        assert rv.status_code == 201
+        assert rv.status_code == 200
         rv = self.client.get(
             BASE_URL + "/users/-/",
             headers={"Authorization": "Bearer {}".format(token_user)},
@@ -348,7 +348,7 @@ def test_edit_user(self):
             headers={"Authorization": "Bearer {}".format(token_owner)},
             json={"full_name": "His Name"},
         )
-        assert rv.status_code == 201
+        assert rv.status_code == 200
         rv = self.client.get(
             BASE_URL + "/users/user/",
             headers={"Authorization": "Bearer {}".format(token_owner)},
@@ -570,3 +570,116 @@ def test_confirm_email(self):
                 headers={"Authorization": "Bearer {}".format(token)},
             )
             self.assertEqual(rv.status_code, 401)
+
+    def test_delete_user(self):
+        # get user token
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "user", "password": "123"}
+        )
+        assert rv.status_code == 200
+        token_user = rv.json["access_token"]
+        # get owner token
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"},
+        )
+        assert rv.status_code == 200
+        token_owner = rv.json["access_token"]
+        # add user
+        rv = self.client.post(
+            BASE_URL + "/users/user_to_delete/",
+            headers={"Authorization": "Bearer {}".format(token_owner)},
+            json={
+                "email": "[email protected]",
+                "role": ROLE_MEMBER,
+                "full_name": "To Delete",
+                "password": "abc",
+            },
+        )
+        assert rv.status_code == 201
+        rv = self.client.get(
+            BASE_URL + "/users/user_to_delete/",
+            headers={"Authorization": "Bearer {}".format(token_owner)},
+        )
+        assert rv.status_code == 200
+        # check token for new user
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "user_to_delete", "password": "abc"}
+        )
+        assert rv.status_code == 200
+        # user cannot delete user
+        rv = self.client.delete(
+            BASE_URL + "/users/user_to_delete/",
+            headers={"Authorization": "Bearer {}".format(token_user)},
+        )
+        assert rv.status_code == 403
+        # owner can user
+        rv = self.client.delete(
+            BASE_URL + "/users/user_to_delete/",
+            headers={"Authorization": "Bearer {}".format(token_owner)},
+        )
+        assert rv.status_code == 200
+        # check user is gone
+        rv = self.client.get(
+            BASE_URL + "/users/user_to_delete/",
+            headers={"Authorization": "Bearer {}".format(token_owner)},
+        )
+        assert rv.status_code == 404
+        # check user can't get token
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "user_to_delete", "password": "abc"}
+        )
+        assert rv.status_code == 403
+
+    def test_change_user_role(self):
+        # get user token
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "user", "password": "123"}
+        )
+        assert rv.status_code == 200
+        token_user = rv.json["access_token"]
+        # get owner token
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"},
+        )
+        assert rv.status_code == 200
+        token_owner = rv.json["access_token"]
+        # add user
+        rv = self.client.post(
+            BASE_URL + "/users/user_change_role/",
+            headers={"Authorization": "Bearer {}".format(token_owner)},
+            json={
+                "email": "[email protected]",
+                "role": ROLE_MEMBER,
+                "full_name": "Change Role",
+                "password": "abc",
+            },
+        )
+        assert rv.status_code == 201
+        # get token for new user
+        rv = self.client.post(
+            BASE_URL + "/token/",
+            json={"username": "user_change_role", "password": "abc"},
+        )
+        assert rv.status_code == 200
+        token_new_user = rv.json["access_token"]
+        # user can change own details
+        rv = self.client.put(
+            BASE_URL + "/users/-/",
+            headers={"Authorization": "Bearer {}".format(token_new_user)},
+            json={"full_name": "Change My Role"},
+        )
+        assert rv.status_code == 200
+        # user cannot change own role
+        rv = self.client.put(
+            BASE_URL + "/users/-/",
+            headers={"Authorization": "Bearer {}".format(token_new_user)},
+            json={"role": ROLE_OWNER},
+        )
+        assert rv.status_code == 403
+        # owner can change user role
+        rv = self.client.put(
+            BASE_URL + "/users/user_change_role/",
+            headers={"Authorization": "Bearer {}".format(token_owner)},
+            json={"role": ROLE_OWNER},
+        )
+        assert rv.status_code == 200