/files/<uuid>: fix shares permission issue
users can no longer change the metadata on shares they do not own
This commit is contained in:
parent
88bd79c228
commit
bc2c14e52f
GPG Key ID:
7225FE3592EFFA38
@ -18,6 +18,16 @@ class FilesMetadataAPI(ModelAPI):
|
||||
@auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True)
|
||||
def patch(self, share_id, auth_user=None):
|
||||
share = Share.query.filter_by(share_id=share_id).first()
|
||||
if auth_user != share.owner:
|
||||
return (
|
||||
jsonify(
|
||||
{
|
||||
"status": "fail",
|
||||
"message": "Share must be modified by its owner.",
|
||||
}
|
||||
),
|
||||
403,
|
||||
)
|
||||
if share.locked:
|
||||
return jsonify({"status": "fail", "message": "This share is locked."}), 423
|
||||
return super().patch(share)
|
||||
@ -25,6 +35,16 @@ class FilesMetadataAPI(ModelAPI):
|
||||
@auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True)
|
||||
def put(self, share_id, auth_user=None):
|
||||
share = Share.query.filter_by(share_id=share_id).first()
|
||||
if auth_user != share.owner:
|
||||
return (
|
||||
jsonify(
|
||||
{
|
||||
"status": "fail",
|
||||
"message": "Share must be modified by its owner.",
|
||||
}
|
||||
),
|
||||
403,
|
||||
)
|
||||
if share.locked:
|
||||
return jsonify({"status": "fail", "message": "This share is locked."}), 423
|
||||
return super().put(share)
|
||||
|
||||
@ -182,6 +182,18 @@ class TestSuite:
|
||||
method=client.put,
|
||||
)
|
||||
assert resp.status_code == 403
|
||||
resp = client.patch(
|
||||
url,
|
||||
headers=auth("dave"),
|
||||
json=dict(file_name="epic_new_filename.bin")
|
||||
)
|
||||
assert resp.status_code == 403
|
||||
resp = client.put(
|
||||
url,
|
||||
headers=auth("dave"),
|
||||
json=dict(file_name="epic_new_filename.bin", owner_name="dave")
|
||||
)
|
||||
assert resp.status_code == 403
|
||||
|
||||
# test not allowing re-upload
|
||||
resp = upload(
|
||||
|
||||
Loading…
Reference in New Issue
Block a user