enforce user deletion security to be admin only

controllers/users_controller.rb

@@ -93,6 +93,7 @@ class UsersController < ApplicationController
 
     # Delete a user
     delete '/:username' do
+      error 403, "Access denied" unless current_user.admin?
       User.find(params[:username]).first.delete
       halt 204
     end

test/controllers/test_slices_controller.rb

@@ -15,17 +15,17 @@ def self.before_suite
                         password: "12345"
                       }).save
     @@new_slice_data = { acronym: 'tst-c', name: "Test Slice C", ontologies: ont_acronyms}
-    @@old_security_setting = LinkedData.settings.enable_security
+    enable_security
   end
 
   def self.after_suite
     LinkedData::Models::Slice.all.each(&:delete)
     @@user.delete
-    reset_security(@@old_security_setting)
+    reset_security
   end
 
   def setup
-    self.class.reset_security(@@old_security_setting)
+    self.class.reset_security
     self.class.reset_to_not_admin(@@user)
     LinkedData::Models::Slice.find(@@new_slice_data[:acronym]).first&.delete
   end

test/controllers/test_users_controller.rb

@@ -29,7 +29,7 @@ def test_admin_creation
     existent_user = self.class.make_admin(existent_user)
     assert _create_admin_user(apikey: existent_user.apikey), "Admin can create an admin user or update it to be an admin"
     self.class.reset_to_not_admin(existent_user)
-    delete "/users/#{@@username}"
+    _delete_user(@@username)
   end
 
   def test_all_users
@@ -59,7 +59,8 @@ def test_create_new_user
     assert last_response.ok?
     assert MultiJson.load(last_response.body)["username"].eql?(@@username)
 
-    delete created_user["@id"]
+    _delete_user(created_user["username"])
+
     post "/users", MultiJson.dump(user.merge(username: @@username)), "CONTENT_TYPE" => "application/json"
     assert last_response.status == 201
     assert MultiJson.load(last_response.body)["username"].eql?(@@username)
@@ -90,13 +91,21 @@ def test_update_patch_user
   end
 
   def test_delete_user
-    delete "/users/ben"
-    assert last_response.status == 204
+    self.class.enable_security
+
+    delete "/users/ben?apikey=#{@@users.first.apikey}"
+    assert_equal 403,  last_response.status
+
+    self.class.make_admin(@@users.first)
+    delete "/users/ben?apikey=#{@@users.first.apikey}"
+    assert_equal 204,  last_response.status
 
     @@usernames.delete("ben")
+    self.class.reset_security
+    self.class.reset_to_not_admin(@@users.first)
 
     get "/users/ben"
-    assert last_response.status == 404
+    assert_equal 404, last_response.status
   end
 
   def test_user_not_found
@@ -113,9 +122,13 @@ def test_authentication
 
 
   private
+
+  def _delete_user(username)
+    LinkedData::Models::User.find(@@username).first&.delete
+  end
   def _create_admin_user(apikey: nil)
     user = {email: "#{@@username}@example.org", password: "pass_the_word", role: ['ADMINISTRATOR']}
-    LinkedData::Models::User.find(@@username).first&.delete
+    _delete_user(@@username)
 
     put "/users/#{@@username}", MultiJson.dump(user), "CONTENT_TYPE" => "application/json", "Authorization" => "apikey token=#{apikey}"
     assert last_response.status == 201

test/test_case.rb

@@ -193,6 +193,7 @@ def get_errors(response)
   end
 
   def self.enable_security
+    @@old_security_setting = LinkedData.settings.enable_security
     LinkedData.settings.enable_security = true
   end