added revokation checks in the backend and frontend

5a0d6732 · Dominik Seeger · Dominik Seeger · d93de798 · 5a0d6732 · 5a0d6732
Commit 5a0d6732 authored 5 years ago by Dominik Seeger Committed by Dominik Seeger 5 years ago
--- a/core/tests/test_user_account_views.py
+++ b/core/tests/test_user_account_views.py
@@ -86,3 +86,11 @@ class TutorReviewerCanChangePasswordTests(APITestCase):
        ret = self.client.login(username=student.username,
                                password='chompreviver0.')
        self.assertFalse(ret)
+
+    def test_reviewer_cannot_revoke_own_access(self):
+        user_pk = self.reviewer.pk
+        url = f"/api/user/{user_pk}/change_active/"
+        data = {'is_active': False}
+        self.client.force_authenticate(user=self.reviewer)
+        res = self.client.patch(url, data)
+        self.assertEqual(status.HTTP_403_FORBIDDEN, res.status_code)
--- a/core/views/common_views.py
+++ b/core/views/common_views.py
@@ -243,6 +243,9 @@ class UserAccountViewSet(viewsets.ReadOnlyModelViewSet):
        if active is None:
            error_msg = "You need to provide an 'active' field"
            return Response({'Error': error_msg}, status.HTTP_400_BAD_REQUEST)
+        if req_user.is_reviewer() and req_user == user:
+            error_msg = "As a reviewer, you cannot revoke your own access."
+            return Response({'Error': error_msg}, status.HTTP_403_FORBIDDEN)
        if (req_user.is_student() or req_user.is_tutor()) and req_user != user:
            return Response(status.HTTP_403_FORBIDDEN)
        user.is_active = active

--- a/frontend/src/components/tutor_list/TutorList.vue
+++ b/frontend/src/components/tutor_list/TutorList.vue
 <template>
-  <v-flex xs5>
+  <v-flex lg7 xl5>
    <v-card>
      <v-card-title class="title">
        Tutors
@@ -27,7 +27,10 @@
            </v-tooltip>
          </td>
          <td class="text-xs-right">
-            <v-btn icon @click="changeActiveStatus(props.item)">
+            <v-btn 
+              v-if="canRevokeAccess(props.item.username)" 
+              icon @click="changeActiveStatus(props.item)"
+            >
              <v-tooltip top>
                <template slot="activator">
                  <v-icon small v-if="!props.item.isActive">lock</v-icon>
@@ -49,6 +52,7 @@ import Vue from 'vue'
 import Component from 'vue-class-component'
 import { changeActiveForUser } from '@/api'
 import { actions } from '@/store/actions'
+import { Authentication } from '@/store/modules/authentication'
 import { TutorOverview } from '@/store/modules/tutor-overview'
 import { Tutor } from '@/models'

@@ -113,6 +117,10 @@ export default class TutorList extends Vue {
    TutorOverview.getTutors()
    TutorOverview.getActiveAssignments()
  }
+
+  canRevokeAccess (username: string) {
+    return Authentication.state.user.username !== username
+  }
 }
 </script>