Merge pull request #165 from chrismeyersfsu/fix-user_not_exist

404 not found for users that don't exist

awx/api/views.py

@@ -812,7 +812,7 @@ class UserDetail(RetrieveUpdateDestroyAPIView):
 
     def update_filter(self, request, *args, **kwargs):
         ''' make sure non-read-only fields that can only be edited by admins, are only edited by admins '''
-        obj = User.objects.get(pk=kwargs['pk'])
+        obj = self.get_object()
         can_change = request.user.can_access(User, 'change', obj, request.DATA)
         can_admin = request.user.can_access(User, 'admin', obj, request.DATA)
         if can_change and not can_admin:
@@ -828,7 +828,7 @@ class UserDetail(RetrieveUpdateDestroyAPIView):
                 raise PermissionDenied('Cannot change %s' % ', '.join(changed.keys()))
 
     def destroy(self, request, *args, **kwargs):
-        obj = User.objects.get(pk=kwargs['pk'])
+        obj = self.get_object()
         can_delete = request.user.can_access(User, 'delete', obj)
         if not can_delete:
             raise PermissionDenied('Cannot delete user')

awx/main/tests/users.py

@@ -322,6 +322,13 @@ class UsersTest(BaseTest):
         orig = User.objects.get(pk=self.super_django_user.pk)
         self.assertTrue(orig.username != 'change')
 
+    def test_user_delete_non_existant_user(self):
+        user_pk = self.normal_django_user.pk
+        fake_pk = user_pk + 1000
+        self.assertFalse(User.objects.filter(pk=fake_pk).exists(), "We made up a fake pk and it happened to exist")
+        url = reverse('api:user_detail', args=(fake_pk,))
+        self.delete(url, expect=404, auth=self.get_super_credentials())
+
     def test_password_not_shown_in_get_operations_for_list_or_detail(self):
         url = reverse('api:user_detail', args=(self.super_django_user.pk,))
         data = self.get(url, expect=200, auth=self.get_super_credentials())