sachet/sachet-server
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

/files/<uuid>: fix shares permission issue

Browse Source 
users can no longer change the metadata on shares they do not own
This commit is contained in:
dogeystamp 2023-05-21 22:01:02 -04:00
parent 88bd79c228
commit bc2c14e52f
Signed by: dogeystamp
GPG Key ID: 7225FE3592EFFA38
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
sachet/server/files/views.py
View File

@ -18,6 +18,16 @@ class FilesMetadataAPI(ModelAPI):
@auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True) @auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True)
def patch(self, share_id, auth_user=None): def patch(self, share_id, auth_user=None):
share = Share.query.filter_by(share_id=share_id).first() share = Share.query.filter_by(share_id=share_id).first()
if auth_user != share.owner:
return (
jsonify(
{
"status": "fail",
"message": "Share must be modified by its owner.",
}
),
403,
)
if share.locked: if share.locked:
return jsonify({"status": "fail", "message": "This share is locked."}), 423 return jsonify({"status": "fail", "message": "This share is locked."}), 423
return super().patch(share) return super().patch(share)
@ -25,6 +35,16 @@ class FilesMetadataAPI(ModelAPI):
@auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True) @auth_required(required_permissions=(Permissions.MODIFY,), allow_anonymous=True)
def put(self, share_id, auth_user=None): def put(self, share_id, auth_user=None):
share = Share.query.filter_by(share_id=share_id).first() share = Share.query.filter_by(share_id=share_id).first()
if auth_user != share.owner:
return (
jsonify(
{
"status": "fail",
"message": "Share must be modified by its owner.",
}
),
403,
)
if share.locked: if share.locked:
return jsonify({"status": "fail", "message": "This share is locked."}), 423 return jsonify({"status": "fail", "message": "This share is locked."}), 423
return super().put(share) return super().put(share)

12
tests/test_files.py
View File

@ -182,6 +182,18 @@ class TestSuite:
method=client.put, method=client.put,
) )
assert resp.status_code == 403 assert resp.status_code == 403
resp = client.patch(
url,
headers=auth("dave"),
json=dict(file_name="epic_new_filename.bin")
)
assert resp.status_code == 403
resp = client.put(
url,
headers=auth("dave"),
json=dict(file_name="epic_new_filename.bin", owner_name="dave")
)
assert resp.status_code == 403
# test not allowing re-upload # test not allowing re-upload
resp = upload( resp = upload(