uc-cdis · pieterlukasse · Nov 6, 2024 · Oct 17, 2024 · Nov 5, 2024 · Nov 5, 2024
diff --git a/fence/auth.py b/fence/auth.py
@@ -19,6 +19,7 @@
 from fence.user import get_current_user
 from fence.utils import clear_cookies
 from fence.config import config
+from fence.authz.auth import check_arborist_auth
 
 logger = get_logger(__name__)
 
@@ -275,25 +276,9 @@ def get_user_from_claims(claims):
     )
 
 
-def admin_required(f):
-    """
-    Require user to be an admin user.
-    """
-
-    @wraps(f)
-    def wrapper(*args, **kwargs):
-        if not flask.g.user:
-            raise Unauthorized("Require login")
-        if flask.g.user.is_admin is not True:
-            raise Unauthorized("Require admin user")
-        return f(*args, **kwargs)
-
-    return wrapper
-
-
 def admin_login_required(function):
-    """Compose the login required and admin required decorators."""
-    return login_required({"admin"})(admin_required(function))
+    """Use the check_arborist_auth decorator checking on admin authorization."""
+    return check_arborist_auth(["/services/fence/admin"], "*")(function)
 
 
 def _update_users_email(user, email):

diff --git a/tests/admin/test_admin_users_endpoints.py b/tests/admin/test_admin_users_endpoints.py
@@ -27,7 +27,7 @@
 
 @pytest.fixture(autouse=True)
 def mock_arborist(mock_arborist_requests):
-    mock_arborist_requests()
+    mock_arborist_requests({"arborist/auth/request": {"POST": ({"auth": True}, 200)}})
 
 
 # TODO: Not yet tested: PUT,DELETE /users/<username>/projects
@@ -186,6 +186,18 @@ def test_get_user_username(
     assert r.json["username"] == "test_a"
 
 
+def test_get_user_username_no_admin_auth(
+    client, encoded_admin_jwt, mock_arborist_requests
+):
+    """GET /users/<username>: [get_user]: rainy path where arborist authorization check fails"""
+    mock_arborist_requests({"arborist/auth/request": {"POST": ({"auth": False}, 200)}})
+    r = client.get(
+        "/admin/users/test_a", headers={"Authorization": "Bearer " + encoded_admin_jwt}
+    )
+    assert r.status_code == 403
+    assert "user does not have privileges to access this endpoint" in r.text
+
+
 def test_get_user_long_username(
     client, admin_user, encoded_admin_jwt, db_session, test_user_long
 ):