sachet/sachet-server
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

/files: disallow modifying other users' shares

Browse Source
This commit is contained in:
dogeystamp 2023-04-29 12:09:32 -04:00
parent fa57548e0b
commit 424de4f282
Signed by: dogeystamp
GPG Key ID: 7225FE3592EFFA38
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sachet/server/files/views.py
View File

@ -117,6 +117,17 @@ class FileContentAPI(ModelAPI):
jsonify({"status": "fail", "message": "This share does not exist."}) jsonify({"status": "fail", "message": "This share does not exist."})
), 404 ), 404
if auth_user != share.owner:
return (
jsonify(
{
"status": "fail",
"message": "Share must be initialized by its owner.",
}
),
403,
)
if not share.initialized: if not share.initialized:
return ( return (
jsonify( jsonify(

12
tests/test_files.py
View File

@ -182,6 +182,18 @@ class TestSuite:
) )
assert resp.status_code == 201 assert resp.status_code == 201
# test other user being unable to modify this share
resp = client.put(
url + "/content",
headers=auth("dave"),
data={
"upload": FileStorage(stream=BytesIO(upload_data), filename="upload")
},
content_type="multipart/form-data",
)
assert resp.status_code == 403
# test not allowing re-upload # test not allowing re-upload
resp = client.post( resp = client.post(
url + "/content", url + "/content",