Merge pull request #1285 from pierotofy/fixes

Do not allow users to delete projects they don't own

app/api/projects.py

@@ -136,3 +136,18 @@ class ProjectViewSet(viewsets.ModelViewSet):
             return Response({'error': _("Invalid permissions")}, status=status.HTTP_400_BAD_REQUEST)
 
         return Response({'success': True}, status=status.HTTP_200_OK)
+
+    def destroy(self, request, pk=None):
+        project = get_and_check_project(request, pk, ('delete_project', ))
+
+        # Owner? Delete the project
+        if project.owner == request.user:
+            return super().destroy(self, request, pk=pk)
+        else:
+            # Do not remove the project, simply remove all user's permissions to the project
+            # to avoid shared projects from being accidentally deleted
+            for p in ["add", "change", "delete", "view"]:
+                perm = p + "_project"
+                remove_perm(perm, request.user, project)
+            return Response(status=status.HTTP_204_NO_CONTENT)
+        

app/static/app/js/components/EditProjectDialog.jsx

@@ -140,7 +140,7 @@ class EditProjectDialog extends React.Component {
               <div className="form-group">
                 <label className="col-sm-2 control-label">{_("Name")}</label>
                 <div className="col-sm-10">
-                  <input type="text" className="form-control" ref={(domNode) => { this.nameInput = domNode; }} value={this.state.name} onChange={this.handleChange('name')} />
+                  <input type="text" className="form-control" ref={(domNode) => { this.nameInput = domNode; }} value={this.state.name} onChange={this.handleChange('name')} onKeyPress={e => this.dialog.handleEnter(e)} />
                 </div>
               </div>
               <div className="form-group">

app/static/app/js/components/FormDialog.jsx

@@ -102,6 +102,12 @@ class FormDialog extends React.Component {
         }
     }
 
+    handleEnter = e => {
+        if (e.key === 'Enter' || e.keyCode === 13){
+          this.handleSave(e);
+        }
+    }
+
     handleSave(e){
         e.preventDefault();
 

app/tests/test_api.py

@@ -255,7 +255,7 @@ class TestApi(BootTestCase):
 
         # Can't delete a project for which we just have view permissions
         res = client.delete('/api/projects/{}/'.format(other_temp_project.id))
-        self.assertTrue(res.status_code == status.HTTP_403_FORBIDDEN)
+        self.assertTrue(res.status_code == status.HTTP_404_NOT_FOUND)
 
         # Can delete a project for which we have delete permissions
         assign_perm('delete_project', user, other_temp_project)

app/tests/test_api_projects.py

@@ -104,4 +104,25 @@ class TestApiProjects(BootTestCase):
         self.assertEqual(res.status_code, status.HTTP_200_OK)
 
         perms = get_perms(user, project)
-        self.assertEqual(len(perms), 4)
+        self.assertEqual(len(perms), 4)
+
+        # Re-add permissions for other user
+        res = client.post("/api/projects/{}/edit/".format(project.id), {
+            'permissions': [{'username': 'testuser2', 'permissions': ['view', 'add', 'change', 'delete']}]
+        }, format="json")
+        self.assertEqual(res.status_code, status.HTTP_200_OK)
+
+        # Other user deletes project
+        res = other_client.delete("/api/projects/{}/".format(project.id))
+        self.assertEqual(res.status_code, status.HTTP_204_NO_CONTENT)
+        project.refresh_from_db()
+
+        # Other user can no longer see the project (permissions have been revoked)
+        res = other_client.get("/api/projects/{}/".format(project.id))
+        self.assertEqual(res.status_code, status.HTTP_404_NOT_FOUND)
+        perms = get_perms(other_user, project)
+        self.assertEqual(len(perms), 0)
+        
+        # Project is still there
+        res = client.get("/api/projects/{}/".format(project.id))
+        self.assertEqual(res.status_code, status.HTTP_200_OK)