From e5dd7e558786a0a93c904d9ede27fdbc05df3893 Mon Sep 17 00:00:00 2001 From: Oleksandr Duts Date: Thu, 9 Dec 2021 17:29:58 +0200 Subject: [PATCH] TT#129169 API: DELETE /api/admins/:id return wrong http 500 * Fix http code to 403 - Cannot delete own user Change-Id: I21225e112fd7e5b746381753b2e52474b6069c5c --- lib/NGCP/Panel/Controller/API/AdminsItem.pm | 8 ++++---- t/api-rest2/Admins.yaml | 11 ++++++++++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/lib/NGCP/Panel/Controller/API/AdminsItem.pm b/lib/NGCP/Panel/Controller/API/AdminsItem.pm index 82c6c62e30..de82f238f9 100644 --- a/lib/NGCP/Panel/Controller/API/AdminsItem.pm +++ b/lib/NGCP/Panel/Controller/API/AdminsItem.pm @@ -79,20 +79,20 @@ sub delete_item { if($item->login eq $special_user_login) { $self->error($c, HTTP_FORBIDDEN, "Cannot delete special user '$special_user_login'"); - last; + return; } if($c->user->id == $item->id) { $self->error($c, HTTP_FORBIDDEN, "Cannot delete own user"); - last; + return; } if($c->user->read_only) { $self->error($c, HTTP_FORBIDDEN, "Insufficient permissions"); - last; + return; } # reseller association is checked in item_rs of role - last unless $self->add_delete_journal_item_hal($c,sub { + return unless $self->add_delete_journal_item_hal($c,sub { my $self = shift; my ($c) = @_; return $self->hal_from_item($c, $item); }); diff --git a/t/api-rest2/Admins.yaml b/t/api-rest2/Admins.yaml index adb4eb3142..17e21d65db 100644 --- a/t/api-rest2/Admins.yaml +++ b/t/api-rest2/Admins.yaml @@ -218,6 +218,15 @@ '${admin}.is_ccare': 0 '${admin}.lawful_intercept': 0 +- + name: delete own user + type: item + method: DELETE + path: '/api/admins/1' + conditions: + is: + code: 403 + - name: delete admin type: item @@ -225,4 +234,4 @@ path: '/${admin_path}' conditions: is: - code: 204 + code: 204 \ No newline at end of file