check if is group member when share repo to group

seahub/api2/endpoints/dir_shared_items.py

@@ -12,7 +12,8 @@ from rest_framework.views import APIView
 from django.utils.translation import ugettext as _
 
 import seaserv
-from seaserv import seafile_api
+from seaserv import seafile_api, ccnet_api
+from constance import config
 
 from seahub.api2.authentication import TokenAuthentication
 from seahub.api2.permissions import IsRepoAccessible
@@ -347,11 +348,25 @@ class DirSharedItemsEndpoint(APIView):
                 try:
                     gid = int(gid)
                 except ValueError:
-                    return api_error(status.HTTP_400_BAD_REQUEST, 'group_id %s invalid.' % gid)
+                    result['failed'].append({
+                        'error_msg': _(u'group_id %s invalid.') % gid
+                        })
+                    continue
 
-                group = seaserv.get_group(gid)
+                group = ccnet_api.get_group(gid)
                 if not group:
-                    return api_error(status.HTTP_404_NOT_FOUND, 'Group %s not found' % gid)
+                    result['failed'].append({
+                        'error_msg': _(u'Group %s not found') % gid
+                        })
+                    continue
+
+                if not config.ENABLE_SHARE_TO_ALL_GROUPS and \
+                        not ccnet_api.is_group_user(gid, username):
+                    result['failed'].append({
+                        'group_name': group.group_name,
+                        'error_msg': _(u'Permission denied.')
+                        })
+                    continue
 
                 if self.has_shared_to_group(request, repo_id, path, gid):
                     result['failed'].append({

tests/api/endpoints/test_dir_shared_items.py

@@ -1,4 +1,5 @@
 import json
+from mock import patch
 
 from seaserv import seafile_api
 
@@ -196,6 +197,44 @@ class DirSharedItemsTest(BaseTestCase):
         json_resp = json.loads(resp.content)
         assert 'has been shared to' in json_resp['failed'][0]['error_msg']
 
+    def test_share_to_group_if_not_group_member(self):
+        self.login_as(self.user)
+
+        grp = self.create_group(group_name="test-grp2",
+                                 username=self.admin.username)
+
+        resp = self.client.put(
+            '/api2/repos/%s/dir/shared_items/?p=/' % (self.repo.id),
+            "share_type=group&group_id=%d&permission=rw" % (grp.id),
+            'application/x-www-form-urlencoded',
+        )
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert len(json_resp['failed']) == 1
+        assert len(json_resp['success']) == 0
+        assert json_resp['failed'][0]['error_msg'] == 'Permission denied.'
+
+    @patch('seahub.api2.endpoints.dir_shared_items.config')
+    def test_share_to_group_if_not_group_member_2(self, mock_settings):
+
+        mock_settings.ENABLE_SHARE_TO_ALL_GROUPS.return_value = True
+
+        self.login_as(self.user)
+
+        grp = self.create_group(group_name="test-grp2",
+                                 username=self.admin.username)
+
+        resp = self.client.put(
+            '/api2/repos/%s/dir/shared_items/?p=/' % (self.repo.id),
+            "share_type=group&group_id=%d&permission=rw" % (grp.id),
+            'application/x-www-form-urlencoded',
+        )
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert len(json_resp['failed']) == 0
+        assert len(json_resp['success']) == 1
+        assert json_resp['success'][0]['group_info']['id'] == grp.id
+
     def test_share_with_invalid_email(self):
         self.login_as(self.user)
         invalid_email = '%s' % randstring(6)