From 88b24c609c4135d4ea45b156a906b9c76ba85edf Mon Sep 17 00:00:00 2001 From: sniper-py <38058090+sniper-py@users.noreply.github.com> Date: Tue, 14 May 2019 10:44:38 +0800 Subject: [PATCH] update permission check wehn unstar item --- seahub/api2/endpoints/starred_items.py | 17 +++++++--- tests/api/endpoints/test_starred_items.py | 38 ++++++++++++++++++++++- 2 files changed, 49 insertions(+), 6 deletions(-) diff --git a/seahub/api2/endpoints/starred_items.py b/seahub/api2/endpoints/starred_items.py index 773b0f6e77..49d2e78ab4 100644 --- a/seahub/api2/endpoints/starred_items.py +++ b/seahub/api2/endpoints/starred_items.py @@ -195,13 +195,20 @@ class StarredItems(APIView): error_msg = 'path invalid.' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) - # permission check - if not check_folder_permission(request, repo_id, '/'): - error_msg = 'Permission denied.' - return api_error(status.HTTP_403_FORBIDDEN, error_msg) + # handler path if item exist + if seafile_api.get_dir_id_by_path(repo_id, path): + path = normalize_dir_path(path) + elif seafile_api.get_file_id_by_path(repo_id, path): + path = normalize_file_path(path) + + email = request.user.username + + # database record check + if not UserStarredFiles.objects.get_starred_item(email, repo_id, path): + error_msg = 'Item %s not found.' % path + return api_error(status.HTTP_404_NOT_FOUND, error_msg) # unstar a item - email = request.user.username try: UserStarredFiles.objects.delete_starred_item(email, repo_id, path) except Exception as e: diff --git a/tests/api/endpoints/test_starred_items.py b/tests/api/endpoints/test_starred_items.py index 9748739350..e7ac0842f4 100644 --- a/tests/api/endpoints/test_starred_items.py +++ b/tests/api/endpoints/test_starred_items.py @@ -1,5 +1,5 @@ import json - +from tests.common.utils import randstring from django.core.urlresolvers import reverse @@ -85,6 +85,24 @@ class StarredItemsTest(BaseTestCase): # confirm file is unstarred assert is_file_starred(self.user_name, self.repo_id, self.file) is False + def test_can_not_unstar_file_when_path_is_wrong(self): + self.login_as(self.user) + + # first star a file + data = {'repo_id': self.repo_id, 'path': self.file} + resp = self.client.post(self.url, data) + self.assertEqual(200, resp.status_code) + + # confirm file is starred + assert is_file_starred(self.user_name, self.repo_id, self.file) is True + + # can not unstar a file when path is wrong + resp = self.client.delete(self.url + '?repo_id=%s&path=%s' % (self.repo_id, self.file[:2] + randstring(5) + self.file[2:])) + self.assertEqual(404, resp.status_code) + + # confirm file is starred + assert is_file_starred(self.user_name, self.repo_id, self.file) is True + def test_can_unstar_folder(self): self.login_as(self.user) @@ -102,3 +120,21 @@ class StarredItemsTest(BaseTestCase): # confirm folder is unstarred assert is_file_starred(self.user_name, self.repo_id, self.folder_path) is False + + def test_can_not_unstar_folder_when_path_is_wrong(self): + self.login_as(self.user) + + # first star a folder + data = {'repo_id': self.repo_id, 'path': self.folder_path} + resp = self.client.post(self.url, data) + self.assertEqual(200, resp.status_code) + + # confirm folder is starred + assert is_file_starred(self.user_name, self.repo_id, self.folder_path) is True + + # can not unstar a folder when path is wrong + resp = self.client.delete(self.url + '?repo_id=%s&path=%s' % (self.repo_id, self.folder_path[:2] + randstring(5) + self.folder_path[2:])) + self.assertEqual(404, resp.status_code) + + # confirm folder is starred + assert is_file_starred(self.user_name, self.repo_id, self.folder_path) is True