admin api role check (#4353)

* admin api role check

* add check to new tabs and tests

* fix work-weixin virus scan check

tests/api/endpoints/admin/test_abuse_reports.py

@@ -18,6 +18,13 @@ class AdminAbuseReportsTest(BaseTestCase):
         resp = self.client.get(self.url)
         self.assertEqual(200, resp.status_code)
 
+    @patch('seahub.api2.endpoints.admin.abuse_reports.ENABLE_SHARE_LINK_REPORT_ABUSE', MagicMock(return_value=True))
+    def test_no_permission(self):
+        self.logout()
+        self.login_as(self.admin_no_other_permission)
+        resp = self.client.get(self.url)
+        self.assertEqual(403, resp.status_code)
+
 
 class AdminAbuseReportTest(BaseTestCase):
     def setUp(self):
@@ -42,6 +49,15 @@ class AdminAbuseReportTest(BaseTestCase):
         report = AbuseReport.objects.get(id=report_id)
         report.delete()
 
+    @patch('seahub.api2.endpoints.admin.abuse_reports.ENABLE_SHARE_LINK_REPORT_ABUSE', MagicMock(return_value=True))
+    def test_no_permission(self):
+        self.logout()
+        self.login_as(self.admin_no_other_permission)
+        report = self._add_abuse_report()
+        data = 'handled=' + str(not report.handled).lower()
+        resp = self.client.put(self.url + str(report.id) + '/', data, 'application/x-www-form-urlencoded')
+        self.assertEqual(403, resp.status_code)
+
     @patch('seahub.api2.endpoints.admin.abuse_reports.ENABLE_SHARE_LINK_REPORT_ABUSE', MagicMock(return_value=True))
     def test_can_put(self):
         report = self._add_abuse_report()