From 424de4f2821588fb7df991fbaf5e278364ff366e Mon Sep 17 00:00:00 2001 From: dogeystamp Date: Sat, 29 Apr 2023 12:09:32 -0400 Subject: [PATCH] /files: disallow modifying other users' shares --- sachet/server/files/views.py | 11 +++++++++++ tests/test_files.py | 12 ++++++++++++ 2 files changed, 23 insertions(+) diff --git a/sachet/server/files/views.py b/sachet/server/files/views.py index c617b73..e17d8e8 100644 --- a/sachet/server/files/views.py +++ b/sachet/server/files/views.py @@ -117,6 +117,17 @@ class FileContentAPI(ModelAPI): jsonify({"status": "fail", "message": "This share does not exist."}) ), 404 + if auth_user != share.owner: + return ( + jsonify( + { + "status": "fail", + "message": "Share must be initialized by its owner.", + } + ), + 403, + ) + if not share.initialized: return ( jsonify( diff --git a/tests/test_files.py b/tests/test_files.py index 4649203..7306f20 100644 --- a/tests/test_files.py +++ b/tests/test_files.py @@ -182,6 +182,18 @@ class TestSuite: ) assert resp.status_code == 201 + # test other user being unable to modify this share + resp = client.put( + url + "/content", + headers=auth("dave"), + data={ + "upload": FileStorage(stream=BytesIO(upload_data), filename="upload") + }, + content_type="multipart/form-data", + ) + assert resp.status_code == 403 + + # test not allowing re-upload resp = client.post( url + "/content",