From 14734446ba2a469034afac46a9fd55f2a8db0d97 Mon Sep 17 00:00:00 2001 From: dogeystamp Date: Sun, 21 May 2023 22:18:45 -0400 Subject: [PATCH] /files/: fix ownership transfers --- sachet/server/files/views.py | 26 ++++++++++++++++++- tests/test_files.py | 48 +++++++++++++++++++++++++++++++++--- 2 files changed, 69 insertions(+), 5 deletions(-) diff --git a/sachet/server/files/views.py b/sachet/server/files/views.py index 719af3e..9f5b2ac 100644 --- a/sachet/server/files/views.py +++ b/sachet/server/files/views.py @@ -2,7 +2,7 @@ import uuid import io from flask import Blueprint, request, jsonify, send_file, make_response from flask.views import MethodView -from sachet.server.models import Share, Permissions, Upload, Chunk +from sachet.server.models import Share, Permissions, Upload, Chunk, User from sachet.server.views_common import ModelAPI, ModelListAPI, auth_required from sachet.server import storage, db @@ -28,6 +28,18 @@ class FilesMetadataAPI(ModelAPI): ), 403, ) + owner_name = request.get_json().get("owner_name") + if owner_name is not None: + if User.query.filter_by(username=owner_name).first() is None: + return ( + jsonify( + { + "status": "fail", + "message": f"Invalid value for `owner_name`: {owner_name}", + } + ), + 400, + ) if share.locked: return jsonify({"status": "fail", "message": "This share is locked."}), 423 return super().patch(share) @@ -45,6 +57,18 @@ class FilesMetadataAPI(ModelAPI): ), 403, ) + owner_name = request.get_json().get("owner_name") + if owner_name is not None: + if User.query.filter_by(username=owner_name).first() is None: + return ( + jsonify( + { + "status": "fail", + "message": f"Invalid value for `owner_name`: {owner_name}", + } + ), + 400, + ) if share.locked: return jsonify({"status": "fail", "message": "This share is locked."}), 423 return super().put(share) diff --git a/tests/test_files.py b/tests/test_files.py index f7ff1ec..cf9a215 100644 --- a/tests/test_files.py +++ b/tests/test_files.py @@ -105,6 +105,42 @@ class TestSuite: assert resp.data == new_data assert "filename=new_bin.bin" in resp.headers["Content-Disposition"].split("; ") + def test_transfer(self, client, users, auth): + # create share + resp = client.post( + "/files", headers=auth("jeff"), json={"file_name": "content.bin"} + ) + data = resp.get_json() + url = data.get("url") + + # transfer ownership over to dave + resp = client.patch(url, headers=auth("jeff"), json={"owner_name": "dave"}) + assert resp.status_code == 200 + + # ensure the transfer worked + resp = client.patch( + url, headers=auth("jeff"), json={"file_name": "jeff's file"} + ) + assert resp.status_code == 403 + resp = client.patch( + url, headers=auth("dave"), json={"file_name": "dave's file"} + ) + assert resp.status_code == 200 + + # transfer ownership back to jeff + resp = client.patch(url, headers=auth("dave"), json={"owner_name": "jeff"}) + assert resp.status_code == 200 + + # ensure the transfer worked + resp = client.patch( + url, headers=auth("dave"), json={"file_name": "dave's epic file"} + ) + assert resp.status_code == 403 + resp = client.patch( + url, headers=auth("jeff"), json={"file_name": "jeff's file"} + ) + assert resp.status_code == 200 + def test_invalid(self, client, users, auth, rand, upload): """Test invalid requests.""" @@ -183,18 +219,22 @@ class TestSuite: ) assert resp.status_code == 403 resp = client.patch( - url, - headers=auth("dave"), - json=dict(file_name="epic_new_filename.bin") + url, headers=auth("dave"), json=dict(file_name="epic_new_filename.bin") ) assert resp.status_code == 403 resp = client.put( url, headers=auth("dave"), - json=dict(file_name="epic_new_filename.bin", owner_name="dave") + json=dict(file_name="epic_new_filename.bin", owner_name="dave"), ) assert resp.status_code == 403 + # test assigning a file to a non-existent user + resp = client.patch( + url, headers=auth("jeff"), json=dict(owner_name="non_existent_user") + ) + assert resp.status_code == 400 + # test not allowing re-upload resp = upload( url + "/content",