update permission check when set an exist repo as personal/gorup wiki repo

seahub/group/views.py

@@ -54,7 +54,7 @@ from seahub.utils import render_error, render_permission_error, string2list, \
     calc_file_path_hash, is_valid_username, send_html_email, is_org_context
 from seahub.utils.file_types import IMAGE
 from seahub.utils.paginator import Paginator
-from seahub.views import is_registered_user
+from seahub.views import is_registered_user, check_folder_permission
 from seahub.views.modules import get_enabled_mods_by_group, MOD_GROUP_WIKI, \
     enable_mod_for_group, disable_mod_for_group, get_available_mods_by_group, \
     get_wiki_enabled_group_list
@@ -533,6 +533,10 @@ def group_wiki_use_lib(request, group):
         messages.error(request, _('Failed to set wiki library.'))
         return HttpResponseRedirect(next)
 
+    if check_folder_permission(request, repo_id, '/') != 'rw':
+        messages.error(request, _('Permission denied.'))
+        return HttpResponseRedirect(next)
+
     GroupWiki.objects.save_group_wiki(group_id=group.id, repo_id=repo_id)
 
     # create home page if not exist

seahub/views/wiki.py

@@ -37,6 +37,7 @@ from seahub.wiki import get_personal_wiki_page, get_personal_wiki_repo, \
 from seahub.wiki.forms import WikiCreateForm, WikiNewPageForm
 from seahub.wiki.utils import clean_page_name, page_name_to_file_name
 from seahub.utils import render_error
+from seahub.views import check_folder_permission
 
 # Get an instance of a logger
 logger = logging.getLogger(__name__)
@@ -166,6 +167,7 @@ def personal_wiki_create(request):
 def personal_wiki_use_lib(request):
     if request.method != 'POST':
         raise Http404
+
     repo_id = request.POST.get('dst_repo', '')
     username = request.user.username
     next = reverse('personal_wiki', args=[])
@@ -174,6 +176,10 @@ def personal_wiki_use_lib(request):
         messages.error(request, _('Failed to set wiki library.'))
         return HttpResponseRedirect(next)
 
+    if check_folder_permission(request, repo_id, '/') != 'rw':
+        messages.error(request, _('Permission denied.'))
+        return HttpResponseRedirect(next)
+
     PersonalWiki.objects.save_personal_wiki(username=username, repo_id=repo_id)
 
     # create home page if not exist

tests/seahub/views/wiki/test_personal_wiki.py

@@ -21,7 +21,22 @@ class PersonalWikiTest(BaseTestCase):
 
         resp = self.client.get(reverse('personal_wiki'))
         self.assertEqual(302, resp.status_code)
-        self.assertRedirects(resp, reverse('personal_wiki', args=['home']))
+
+    def test_invalid_permisison(self):
+        self.login_as(self.admin)
+
+        data = {'dst_repo': self.repo.id}
+        resp = self.client.post(reverse('personal_wiki_use_lib'), data)
+        assert 'Permission denied.' in str(resp.cookies)
+        self.assertEqual(302, resp.status_code)
+
+    def test_invalid_repo(self):
+        self.login_as(self.user)
+
+        data = {'dst_repo': self.repo.id[:30] + '123456'}
+        resp = self.client.post(reverse('personal_wiki_use_lib'), data)
+        assert 'Failed to set wiki library.' in str(resp.cookies)
+        self.assertEqual(302, resp.status_code)
 
     def test_home_page(self):
         self.login_as(self.user)