From bc2c14e52f92d702952acf31f1db27e284756b99 Mon Sep 17 00:00:00 2001
From: dogeystamp <dogeystamp@disroot.org>
Date: Sun, 21 May 2023 22:01:02 -0400
Subject: [PATCH] /files/<uuid>: fix shares permission issue

users can no longer change the metadata on shares they do not own
---
 sachet/server/files/views.py | 20 ++++++++++++++++++++
 tests/test_files.py          | 12 ++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/sachet/server/files/views.py b/sachet/server/files/views.py
index 4beedfd..719af3e 100644
--- a/sachet/server/files/views.py
+++ b/sachet/server/files/views.py
@@ -18,6 +18,16 @@ class FilesMetadataAPI(ModelAPI):
     @auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True)
     def patch(self, share_id, auth_user=None):
         share = Share.query.filter_by(share_id=share_id).first()
+        if auth_user != share.owner:
+            return (
+                jsonify(
+                    {
+                        "status": "fail",
+                        "message": "Share must be modified by its owner.",
+                    }
+                ),
+                403,
+            )
         if share.locked:
             return jsonify({"status": "fail", "message": "This share is locked."}), 423
         return super().patch(share)
@@ -25,6 +35,16 @@ class FilesMetadataAPI(ModelAPI):
     @auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True)
     def put(self, share_id, auth_user=None):
         share = Share.query.filter_by(share_id=share_id).first()
+        if auth_user != share.owner:
+            return (
+                jsonify(
+                    {
+                        "status": "fail",
+                        "message": "Share must be modified by its owner.",
+                    }
+                ),
+                403,
+            )
         if share.locked:
             return jsonify({"status": "fail", "message": "This share is locked."}), 423
         return super().put(share)
diff --git a/tests/test_files.py b/tests/test_files.py
index 1023b32..f7ff1ec 100644
--- a/tests/test_files.py
+++ b/tests/test_files.py
@@ -182,6 +182,18 @@ class TestSuite:
             method=client.put,
         )
         assert resp.status_code == 403
+        resp = client.patch(
+            url,
+            headers=auth("dave"),
+            json=dict(file_name="epic_new_filename.bin")
+        )
+        assert resp.status_code == 403
+        resp = client.put(
+            url,
+            headers=auth("dave"),
+            json=dict(file_name="epic_new_filename.bin", owner_name="dave")
+        )
+        assert resp.status_code == 403
 
         # test not allowing re-upload
         resp = upload(