Ensure DeleteUser is not allowed to Delete Orgs and visa versa (#10134)

6543 · zeripath · web-flow · commit d4096ab6a284 · 2020-02-04T16:27:18.000+02:00
* add check to DeleteUser

* add check to DeleteOrganization

* add Test

* remove redundancy (deleteOrg is only used in DeleteOrganization)

* Update models/org.go

Co-authored-by: zeripath &lt;art27@cantab.net&gt;
diff --git a/models/org.go b/models/org.go
@@ -256,6 +256,10 @@ func CountOrganizations() int64 {
 
 // DeleteOrganization completely and permanently deletes everything of organization.
 func DeleteOrganization(org *User) (err error) {
+	if !org.IsOrganization() {
+		return fmt.Errorf("%s is a user not an organization", org.Name)
+	}
+
 	sess := x.NewSession()
 	defer sess.Close()
 
@@ -275,10 +279,6 @@ func DeleteOrganization(org *User) (err error) {
 }
 
 func deleteOrg(e *xorm.Session, u *User) error {
-	if !u.IsOrganization() {
-		return fmt.Errorf("You can't delete none organization user: %s", u.Name)
-	}
-
 	// Check ownership of repository.
 	count, err := getRepositoryCount(e, u)
 	if err != nil {
diff --git a/models/org_test.go b/models/org_test.go
@@ -272,8 +272,8 @@ func TestDeleteOrganization(t *testing.T) {
 	assert.Error(t, err)
 	assert.True(t, IsErrUserOwnRepos(err))
 
-	nonOrg := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
-	assert.Error(t, DeleteOrganization(nonOrg))
+	user := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
+	assert.Error(t, DeleteOrganization(user))
 	CheckConsistencyFor(t, &User{}, &Team{})
 }
 
diff --git a/models/user.go b/models/user.go
@@ -1244,6 +1244,10 @@ func deleteUser(e *xorm.Session, u *User) error {
 // DeleteUser completely and permanently deletes everything of a user,
 // but issues/comments/pulls will be kept and shown as someone has been deleted.
 func DeleteUser(u *User) (err error) {
+	if u.IsOrganization() {
+		return fmt.Errorf("%s is an organization not a user", u.Name)
+	}
+
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
diff --git a/models/user_test.go b/models/user_test.go
@@ -199,6 +199,9 @@ func TestDeleteUser(t *testing.T) {
 	test(4)
 	test(8)
 	test(11)
+
+	org := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User)
+	assert.Error(t, DeleteUser(org))
 }
 
 func TestEmailNotificationPreferences(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -272,8 +272,8 @@ func TestDeleteOrganization(t *testing.T) {`
`272`	`272`	`assert.Error(t, err)`
`273`	`273`	`assert.True(t, IsErrUserOwnRepos(err))`
`274`	`274`
`275`		`- nonOrg := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)`
`276`		`- assert.Error(t, DeleteOrganization(nonOrg))`
	`275`	`+ user := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)`
	`276`	`+ assert.Error(t, DeleteOrganization(user))`
`277`	`277`	`CheckConsistencyFor(t, &User{}, &Team{})`
`278`	`278`	`}`
`279`	`279`
Original file line number	Diff line number	Diff line change
`@@ -199,6 +199,9 @@ func TestDeleteUser(t *testing.T) {`
`199`	`199`	`test(4)`
`200`	`200`	`test(8)`
`201`	`201`	`test(11)`
	`202`	`+`
	`203`	`+ org := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User)`
	`204`	`+ assert.Error(t, DeleteUser(org))`
`202`	`205`	`}`
`203`	`206`
`204`	`207`	`func TestEmailNotificationPreferences(t *testing.T) {`