[RBAC] BREAKING CHANGE: Fix #11883: az role assignment create: empt…

…y scope will prompt error (#11983) * [RBAC] BREAKING CHANGE: Fix #11883: `az role assignment create`: empty scope will prompt error * add test for role assignment with empty scope case * udpate HISTORY.rst according to alphabetic order
Azure · Jan 30, 2020 · b79f144 · b79f144
1 parent 72a7e1f
commit b79f144
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/src/azure-cli/HISTORY.rst b/src/azure-cli/HISTORY.rst
@@ -52,6 +52,10 @@ Release History
 
 * Fix #2092: az network dns record-set add/remove: add warning when record-set is not found. In the future, an extra argument will be supported to confirm this auto creation.
 
+**RBAC**
+
+* [BREAKING CHANGE] Fix #11883: `az role assignment create`: empty scope will prompt error
+
 **Security**
 
 * Added new commands `az atp show` and `az atp update` to view and manage advanced threat protection settings for storage accounts.

diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py
@@ -494,6 +494,8 @@ def _build_role_scope(resource_group_name, scope, subscription_id):
         if resource_group_name:
             err = 'Resource group "{}" is redundant because scope is supplied'
             raise CLIError(err.format(resource_group_name))
+    elif scope == '':
+        raise CLIError('Invalid scope. Please use --help to view the valid format.')
     elif resource_group_name:
         scope = subscription_scope + '/resourceGroups/' + resource_group_name
     else:

diff --git a/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py b/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py
@@ -12,6 +12,7 @@
 import mock
 import unittest
 
+from knack.util import CLIError
 from azure_devtools.scenario_tests import AllowLargeResponse, record_only
 from azure.cli.core.profiles import ResourceType, get_sdk
 from azure.cli.testsdk import ScenarioTest, LiveScenarioTest, ResourceGroupPreparer, KeyVaultPreparer
@@ -295,6 +296,11 @@ def test_role_assignment_e2e(self, resource_group):
                 self.cmd('role assignment list --assignee {upn}',
                          checks=self.check("length([])", 1))
                 self.cmd('role assignment delete --assignee {upn} --role reader')
+
+                # test role assignment on empty scope
+                with self.assertRaisesRegexp(CLIError, 'Invalid scope. Please use --help to view the valid format.'):
+                    self.cmd('role assignment create --assignee {upn} --scope "" --role reader')
+                    self.cmd('role assignment delete --assignee {upn} --scope "" --role reader')
             finally:
                 self.cmd('ad user delete --upn-or-object-id {upn}')