Merge pull request #491 from metabase/fix_grant_revoke_admin

Fix grant/revoke admin

Merge pull request #491 from metabase/fix_grant_revoke_admin
516f52f4 · Allen Gilliland · 5d462aad · b3dcd295 · 516f52f4 · 516f52f4
Commit 516f52f4 authored 9 years ago by Allen Gilliland
--- a/src/metabase/api/user.clj
+++ b/src/metabase/api/user.clj
@@ -51,7 +51,7 @@

 (defendpoint PUT "/:id"
  "Update a `User`."
-  [id :as {{:keys [email first_name last_name] :as body} :body}]
+  [id :as {{:keys [email first_name last_name is_superuser] :as body} :body}]
  {email      [Required Email]
   first_name NonEmptyString
   last_name  NonEmptyString}
@@ -61,7 +61,10 @@
  (check-500 (upd-non-nil-keys User id
                               :email email
                               :first_name first_name
-                               :last_name last_name))
+                               :last_name last_name
+                               :is_superuser (if (:is_superuser @*current-user*)
+                                               is_superuser
+                                               nil)))
  (sel :one User :id id))



--- a/test/metabase/api/user_test.clj
+++ b/test/metabase/api/user_test.clj
@@ -174,6 +174,13 @@
                                                                  :email new-email})
       (fetch-user))])

+;; Test that a normal user cannot change the :is_superuser flag for themselves
+(expect-let [fetch-user (fn [] (sel :one :fields [User :first_name :last_name :is_superuser :email] :id (user->id :rasta)))]
+  [(fetch-user)]
+  [(do ((user->client :rasta) :put 200 (str "user/" (user->id :rasta)) (-> (fetch-user)
+                                                                           (assoc :is_superuser true)))
+       (fetch-user))])
+
 ;; Check that a non-superuser CANNOT update someone else's user details
 (expect "You don't have permissions to do that."
  ((user->client :rasta) :put 403 (str "user/" (user->id :trashbird)) {:email "toucan@metabase.com"}))