From 3cbd27a2356c9ff07fc80fef5888acb71fc2d7f7 Mon Sep 17 00:00:00 2001
From: Jan-Benedikt Jagusch <jan.jagusch@gmail.com>
Date: Thu, 28 Sep 2023 17:46:42 +0200
Subject: [PATCH] Fix set user roles when role is None (#669)

* Add test case where target user role is None.

* Use UserOptionalRole in set user role.

* Fix type annotations.
---
 quetz/authorization.py        | 2 +-
 quetz/dao.py                  | 2 +-
 quetz/main.py                 | 2 +-
 quetz/tests/api/test_users.py | 1 +
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/quetz/authorization.py b/quetz/authorization.py
index 7f2e5343..9b175c80 100644
--- a/quetz/authorization.py
+++ b/quetz/authorization.py
@@ -128,7 +128,7 @@ def assert_delete_user(self, requested_user_id: bytes):
 
         return user_id
 
-    def assert_assign_user_role(self, role: str):
+    def assert_assign_user_role(self, role: Optional[str]):
         if role == SERVER_MAINTAINER or role == SERVER_OWNER:
             return self.assert_server_roles([SERVER_OWNER])
         if role == SERVER_MEMBER:
diff --git a/quetz/dao.py b/quetz/dao.py
index 3e61aa0b..9077363d 100644
--- a/quetz/dao.py
+++ b/quetz/dao.py
@@ -240,7 +240,7 @@ def delete_user(self, user_id: bytes):
         ).delete()
         self.db.commit()
 
-    def set_user_role(self, username: str, role: str):
+    def set_user_role(self, username: str, role: Optional[str]):
         user = self.db.query(User).filter(User.username == username).one_or_none()
 
         if user:
diff --git a/quetz/main.py b/quetz/main.py
index e6f074c7..9bd35574 100644
--- a/quetz/main.py
+++ b/quetz/main.py
@@ -499,7 +499,7 @@ def get_user_role(
 @api_router.put("/users/{username}/role", tags=["users"])
 def set_user_role(
     username: str,
-    role: rest_models.UserRole,
+    role: rest_models.UserOptionalRole,
     dao: Dao = Depends(get_dao),
     auth: authorization.Rules = Depends(get_rules),
 ):
diff --git a/quetz/tests/api/test_users.py b/quetz/tests/api/test_users.py
index 21a38394..4f3473bd 100644
--- a/quetz/tests/api/test_users.py
+++ b/quetz/tests/api/test_users.py
@@ -27,6 +27,7 @@ def test_validate_user_role_names(user, client, other_user, db):
         ("other", "owner", "member", 200),
         ("other", "owner", "maintainer", 200),
         ("other", "owner", "owner", 200),
+        ("other", "owner", None, 200),
         ("missing_user", "owner", "member", 404),
     ],
 )