/files/<uuid>: fix ownership transfers

2023-05-21 22:18:45 -04:00 · 2023-05-21 22:18:45 -04:00 · 14734446ba
commit 14734446ba
parent bc2c14e52f
2 changed files with 69 additions and 5 deletions
--- a/sachet/server/files/views.py
+++ b/sachet/server/files/views.py
@ -2,7 +2,7 @@ import uuid
 import io
 from flask import Blueprint, request, jsonify, send_file, make_response
 from flask.views import MethodView
-from sachet.server.models import Share, Permissions, Upload, Chunk
+from sachet.server.models import Share, Permissions, Upload, Chunk, User
 from sachet.server.views_common import ModelAPI, ModelListAPI, auth_required
 from sachet.server import storage, db

@ -28,6 +28,18 @@ class FilesMetadataAPI(ModelAPI):
                ),
                403,
            )
+        owner_name = request.get_json().get("owner_name")
+        if owner_name is not None:
+            if User.query.filter_by(username=owner_name).first() is None:
+                return (
+                    jsonify(
+                        {
+                            "status": "fail",
+                            "message": f"Invalid value for `owner_name`: {owner_name}",
+                        }
+                    ),
+                    400,
+                )
        if share.locked:
            return jsonify({"status": "fail", "message": "This share is locked."}), 423
        return super().patch(share)
@ -45,6 +57,18 @@ class FilesMetadataAPI(ModelAPI):
                ),
                403,
            )
+        owner_name = request.get_json().get("owner_name")
+        if owner_name is not None:
+            if User.query.filter_by(username=owner_name).first() is None:
+                return (
+                    jsonify(
+                        {
+                            "status": "fail",
+                            "message": f"Invalid value for `owner_name`: {owner_name}",
+                        }
+                    ),
+                    400,
+                )
        if share.locked:
            return jsonify({"status": "fail", "message": "This share is locked."}), 423
        return super().put(share)
--- a/tests/test_files.py
+++ b/tests/test_files.py
@ -105,6 +105,42 @@ class TestSuite:
        assert resp.data == new_data
        assert "filename=new_bin.bin" in resp.headers["Content-Disposition"].split("; ")

+    def test_transfer(self, client, users, auth):
+        # create share
+        resp = client.post(
+            "/files", headers=auth("jeff"), json={"file_name": "content.bin"}
+        )
+        data = resp.get_json()
+        url = data.get("url")
+
+        # transfer ownership over to dave
+        resp = client.patch(url, headers=auth("jeff"), json={"owner_name": "dave"})
+        assert resp.status_code == 200
+
+        # ensure the transfer worked
+        resp = client.patch(
+            url, headers=auth("jeff"), json={"file_name": "jeff's file"}
+        )
+        assert resp.status_code == 403
+        resp = client.patch(
+            url, headers=auth("dave"), json={"file_name": "dave's file"}
+        )
+        assert resp.status_code == 200
+
+        # transfer ownership back to jeff
+        resp = client.patch(url, headers=auth("dave"), json={"owner_name": "jeff"})
+        assert resp.status_code == 200
+
+        # ensure the transfer worked
+        resp = client.patch(
+            url, headers=auth("dave"), json={"file_name": "dave's epic file"}
+        )
+        assert resp.status_code == 403
+        resp = client.patch(
+            url, headers=auth("jeff"), json={"file_name": "jeff's file"}
+        )
+        assert resp.status_code == 200
+
    def test_invalid(self, client, users, auth, rand, upload):
        """Test invalid requests."""

@ -183,18 +219,22 @@ class TestSuite:
        )
        assert resp.status_code == 403
        resp = client.patch(
-            url,
-            headers=auth("dave"),
-            json=dict(file_name="epic_new_filename.bin")
+            url, headers=auth("dave"), json=dict(file_name="epic_new_filename.bin")
        )
        assert resp.status_code == 403
        resp = client.put(
            url,
            headers=auth("dave"),
-            json=dict(file_name="epic_new_filename.bin", owner_name="dave")
+            json=dict(file_name="epic_new_filename.bin", owner_name="dave"),
        )
        assert resp.status_code == 403

+        # test assigning a file to a non-existent user
+        resp = client.patch(
+            url, headers=auth("jeff"), json=dict(owner_name="non_existent_user")
+        )
+        assert resp.status_code == 400
+
        # test not allowing re-upload
        resp = upload(
            url + "/content",