Skip to content

Commit

Permalink
Add admin permission checks
Browse files Browse the repository at this point in the history
  • Loading branch information
Uditi Mehta authored and Uditi Mehta committed Oct 9, 2024
1 parent ec69be1 commit 3b55a71
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 0 deletions.
11 changes: 11 additions & 0 deletions api/preprints/serializers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -337,21 +337,28 @@ def update(self, preprint, validated_data):
detail='You cannot edit this field while your prereg links availability is set to false or is unanswered.',
)

def require_admin_permission():
if not preprint.has_permission(auth.user, osf_permissions.ADMIN):
raise exceptions.PermissionDenied(detail='Must have admin permissions to update author assertion fields.')

if 'has_coi' in validated_data:
require_admin_permission()
try:
preprint.update_has_coi(auth, validated_data['has_coi'])
save_preprint = True
except PreprintStateError as e:
raise exceptions.ValidationError(detail=str(e))

if 'conflict_of_interest_statement' in validated_data:
require_admin_permission()
try:
preprint.update_conflict_of_interest_statement(auth, validated_data['conflict_of_interest_statement'])
save_preprint = True
except PreprintStateError as e:
raise exceptions.ValidationError(detail=str(e))

if 'has_data_links' in validated_data:
require_admin_permission()
try:
preprint.update_has_data_links(auth, validated_data['has_data_links'])
save_preprint = True
Expand All @@ -366,6 +373,7 @@ def update(self, preprint, validated_data):
raise exceptions.ValidationError(detail=str(e))

if 'data_links' in validated_data:
require_admin_permission()
try:
preprint.update_data_links(auth, validated_data['data_links'])
save_preprint = True
Expand All @@ -377,20 +385,23 @@ def update(self, preprint, validated_data):
save_preprint = True

if 'why_no_prereg' in validated_data:
require_admin_permission()
try:
preprint.update_why_no_prereg(auth, validated_data['why_no_prereg'])
save_preprint = True
except PreprintStateError as e:
raise exceptions.ValidationError(detail=str(e))

if 'prereg_links' in validated_data:
require_admin_permission()
try:
preprint.update_prereg_links(auth, validated_data['prereg_links'])
save_preprint = True
except PreprintStateError as e:
raise exceptions.ValidationError(detail=str(e))

if 'prereg_link_info' in validated_data:
require_admin_permission()
try:
preprint.update_prereg_link_info(auth, validated_data['prereg_link_info'])
save_preprint = True
Expand Down
17 changes: 17 additions & 0 deletions api_tests/preprints/views/test_preprint_detail.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
PreprintContributor,
PreprintLog
)
from osf.utils import permissions as osf_permissions
from osf.utils.permissions import WRITE
from osf.utils.workflows import DefaultStates
from osf_tests.factories import (
Expand Down Expand Up @@ -1243,6 +1244,22 @@ def test_update_has_prereg_links_no_with_empty_prereg_links(self, app, user, pre
assert preprint.prereg_links == []
assert preprint.prereg_link_info == ''

def test_non_admin_cannot_update_has_coi(self, app, user, preprint, url):
write_contrib = AuthUserFactory()
preprint.add_contributor(write_contrib, permissions=osf_permissions.WRITE, auth=Auth(user), save=True)

update_payload = build_preprint_update_payload(
preprint._id,
attributes={'has_coi': True}
)

res = app.patch_json_api(url, update_payload, auth=write_contrib.auth, expect_errors=True)
assert res.status_code == 403
assert res.json['errors'][0]['detail'] == 'Must have admin permissions to update author assertion fields.'

preprint.reload()
assert preprint.has_coi is None

def test_sloan_updates(self, app, user, preprint, url):
"""
- Tests to ensure updating a preprint with unchanged data does not create superfluous log statements.
Expand Down

0 comments on commit 3b55a71

Please sign in to comment.