From b0496e6ee5ab379a34211986344a7a28cbbc3428 Mon Sep 17 00:00:00 2001
From: Amelia Cordwell <ameliacordwell@catalyst.net.nz>
Date: Thu, 7 Dec 2017 15:53:33 +1300
Subject: [PATCH] Users can only edit users with full permission

* A user should only be able to edit a user when they have
  permission accross all of that users roles.

Change-Id: Ia69a40f6113ee36c0d3c58281a729f3390d69a86
---
 .../actions/v1/tests/test_user_actions.py     |  2 +-
 adjutant/actions/v1/users.py                  | 21 ++++++++++++++++++-
 adjutant/common/tests/fake_clients.py         |  3 ++-
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/adjutant/actions/v1/tests/test_user_actions.py b/adjutant/actions/v1/tests/test_user_actions.py
index 6b1eb09..4ef211e 100644
--- a/adjutant/actions/v1/tests/test_user_actions.py
+++ b/adjutant/actions/v1/tests/test_user_actions.py
@@ -748,7 +748,7 @@ class UserActionTests(AdjutantTestCase):
 
         data = {
             'domain_id': 'default',
-            'user_id': 'user_id',
+            'user_id': user.id,
             'project_id': project.id,
             'roles': ['project_mod'],
             'inherited_roles': [],
diff --git a/adjutant/actions/v1/users.py b/adjutant/actions/v1/users.py
index 63b84c9..8b70542 100644
--- a/adjutant/actions/v1/users.py
+++ b/adjutant/actions/v1/users.py
@@ -286,11 +286,30 @@ class EditUserRolesAction(UserIdAction, ProjectMixin, UserMixin):
                 self.roles = list(missing)
                 self.inherited_roles = list(missing_inherited)
                 self.add_note(
-                    'User user missing roles.')
+                    'User missing roles.')
         # All paths are valid here
         # We've just set state and roles that need to be changed.
         return True
 
+    def _validate_role_permissions(self):
+
+        id_manager = user_store.IdentityManager()
+
+        current_user_roles = id_manager.get_roles(project=self.project_id,
+                                                  user=self.user_id)
+        current_user_roles = [role.name for role in current_user_roles]
+
+        current_roles_manageable = self.are_roles_managable(
+            self.action.task.keystone_user['roles'], current_user_roles)
+
+        all_roles = set()
+        all_roles.update(self.roles)
+        all_roles.update(self.inherited_roles)
+        new_roles_manageable = self.are_roles_managable(
+            self.action.task.keystone_user['roles'], all_roles)
+
+        return new_roles_manageable and current_roles_manageable
+
     def _validate(self):
         self.action.valid = (
             self._validate_keystone_user() and
diff --git a/adjutant/common/tests/fake_clients.py b/adjutant/common/tests/fake_clients.py
index 05573bb..4436657 100644
--- a/adjutant/common/tests/fake_clients.py
+++ b/adjutant/common/tests/fake_clients.py
@@ -337,7 +337,8 @@ class FakeManager(object):
         role = self._role_from_id(role)
         project = self._project_from_id(project)
 
-        role_assignment = self._make_role_assignment(user, role, project)
+        role_assignment = self._make_role_assignment(user, role, project,
+                                                     inherited=inherited)
 
         global identity_cache