From de53fa7d80c4fee5c1a122631efb862826b73df4 Mon Sep 17 00:00:00 2001 From: ylamgarchal Date: Thu, 5 Dec 2024 22:12:54 +0100 Subject: [PATCH] jobs.py: fix components job removal when a job is associated with components of other teams then the user which belongs to the job's team is able to remove components from the job even if the component does not belongs to its own team. nrt added Change-Id: Idb26539dcd1c7ceb4fba5945d46b45302f1565ed --- dci/api/v1/jobs.py | 2 +- tests/api/v1/test_jobs.py | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/dci/api/v1/jobs.py b/dci/api/v1/jobs.py index f9f80bbd4..2a58fed91 100644 --- a/dci/api/v1/jobs.py +++ b/dci/api/v1/jobs.py @@ -425,7 +425,7 @@ def remove_component_from_job(user, job_id, cmpt_id): j = base.get_resource_orm(models2.Job, job_id) component = base.get_resource_orm(models2.Component, cmpt_id) - if component.team_id and not user.is_in_team(component.team_id): + if user.is_not_in_team(j.team_id): raise dci_exc.Unauthorized() try: diff --git a/tests/api/v1/test_jobs.py b/tests/api/v1/test_jobs.py index 0707ffc9b..674d8806f 100644 --- a/tests/api/v1/test_jobs.py +++ b/tests/api/v1/test_jobs.py @@ -170,6 +170,15 @@ def test_attach_component_from_other_team_to_job( cmpt_found = True assert cmpt_found + r = user.delete("/api/v1/jobs/%s/components/%s" % (job_user_id, pc_id)) + assert r.status_code == 201 + cmpts = user.get("/api/v1/jobs/%s/components" % job_user_id).data["components"] + cmpt_found = False + for c in cmpts: + if c["id"] == pc_id: + cmpt_found = True + assert not cmpt_found + def test_add_component_with_no_team_to_job( user, admin, team_user_id, topic_user_id, job_user_id