update permission check wehn unstar item

2025-04-28 03:10:45 +00:00 · 2019-05-14 10:44:38 +08:00 · 2019-05-14 10:44:38 +08:00 · 88b24c609c
commit 88b24c609c
parent 3cc43d9041
2 changed files with 49 additions and 6 deletions
--- a/seahub/api2/endpoints/starred_items.py
+++ b/seahub/api2/endpoints/starred_items.py
@ -195,13 +195,20 @@ class StarredItems(APIView):
            error_msg = 'path invalid.'
            return api_error(status.HTTP_400_BAD_REQUEST, error_msg)

-        # permission check
-        if not check_folder_permission(request, repo_id, '/'):
-            error_msg = 'Permission denied.'
-            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+        # handler path if item exist
+        if seafile_api.get_dir_id_by_path(repo_id, path):
+            path = normalize_dir_path(path)
+        elif seafile_api.get_file_id_by_path(repo_id, path):
+            path = normalize_file_path(path)
+
+        email = request.user.username
+
+        # database record check
+        if not UserStarredFiles.objects.get_starred_item(email, repo_id, path):
+            error_msg = 'Item %s not found.' % path
+            return api_error(status.HTTP_404_NOT_FOUND, error_msg)

        # unstar a item
-        email = request.user.username
        try:
            UserStarredFiles.objects.delete_starred_item(email, repo_id, path)
        except Exception as e:
--- a/tests/api/endpoints/test_starred_items.py
+++ b/tests/api/endpoints/test_starred_items.py
@ -1,5 +1,5 @@
 import json
-
+from tests.common.utils import randstring

 from django.core.urlresolvers import reverse

@ -85,6 +85,24 @@ class StarredItemsTest(BaseTestCase):
        # confirm file is unstarred
        assert is_file_starred(self.user_name, self.repo_id, self.file) is False

+    def test_can_not_unstar_file_when_path_is_wrong(self):
+        self.login_as(self.user)
+
+        # first star a file
+        data = {'repo_id': self.repo_id, 'path': self.file}
+        resp = self.client.post(self.url, data)
+        self.assertEqual(200, resp.status_code)
+
+        # confirm file is starred
+        assert is_file_starred(self.user_name, self.repo_id, self.file) is True
+
+        # can not unstar a file when path is wrong
+        resp = self.client.delete(self.url + '?repo_id=%s&path=%s' % (self.repo_id, self.file[:2] + randstring(5) + self.file[2:]))
+        self.assertEqual(404, resp.status_code)
+
+        # confirm file is starred
+        assert is_file_starred(self.user_name, self.repo_id, self.file) is True
+
    def test_can_unstar_folder(self):
        self.login_as(self.user)

@ -102,3 +120,21 @@ class StarredItemsTest(BaseTestCase):

        # confirm folder is unstarred
        assert is_file_starred(self.user_name, self.repo_id, self.folder_path) is False
+
+    def test_can_not_unstar_folder_when_path_is_wrong(self):
+        self.login_as(self.user)
+
+        # first star a folder
+        data = {'repo_id': self.repo_id, 'path': self.folder_path}
+        resp = self.client.post(self.url, data)
+        self.assertEqual(200, resp.status_code)
+
+        # confirm folder is starred
+        assert is_file_starred(self.user_name, self.repo_id, self.folder_path) is True
+
+        # can not unstar a folder when path is wrong
+        resp = self.client.delete(self.url + '?repo_id=%s&path=%s' % (self.repo_id, self.folder_path[:2] + randstring(5) + self.folder_path[2:]))
+        self.assertEqual(404, resp.status_code)
+
+        # confirm folder is starred
+        assert is_file_starred(self.user_name, self.repo_id, self.folder_path) is True