/files: disallow modifying other users' shares

2023-04-29 12:09:32 -04:00 · 2023-04-29 12:09:32 -04:00 · 424de4f282
commit 424de4f282
parent fa57548e0b
2 changed files with 23 additions and 0 deletions
--- a/sachet/server/files/views.py
+++ b/sachet/server/files/views.py
@ -117,6 +117,17 @@ class FileContentAPI(ModelAPI):
                jsonify({"status": "fail", "message": "This share does not exist."})
            ), 404

+        if auth_user != share.owner:
+            return (
+                jsonify(
+                    {
+                        "status": "fail",
+                        "message": "Share must be initialized by its owner.",
+                    }
+                ),
+                403,
+            )
+
        if not share.initialized:
            return (
                jsonify(
--- a/tests/test_files.py
+++ b/tests/test_files.py
@ -182,6 +182,18 @@ class TestSuite:
        )
        assert resp.status_code == 201

+        # test other user being unable to modify this share
+        resp = client.put(
+            url + "/content",
+            headers=auth("dave"),
+            data={
+                "upload": FileStorage(stream=BytesIO(upload_data), filename="upload")
+            },
+            content_type="multipart/form-data",
+        )
+        assert resp.status_code == 403
+
+
        # test not allowing re-upload
        resp = client.post(
            url + "/content",