fix bug of user notification (#3230)

* fix bug of user notification add checks, add test cases for notifications
2025-08-01 15:23:05 +00:00 · 2019-04-12 10:36:22 +08:00 · 2019-04-12 10:36:22 +08:00 · e23fd72fc7
commit e23fd72fc7
parent 5d2a2b238c
2 changed files with 45 additions and 2 deletions
--- a/seahub/api2/endpoints/notifications.py
+++ b/seahub/api2/endpoints/notifications.py
@ -5,6 +5,7 @@ from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
+from rest_framework import status

 from django.core.cache import cache

@ -123,17 +124,32 @@ class NotificationView(APIView):

        notice_id = request.data.get('notice_id')

+        # argument check
+        try:
+            int(notice_id)
+        except Exception as e:
+            error_msg = 'notice_id invalid.'
+            logger.error(e)
+            return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
+
+        # resource check
        try:
            notice = UserNotification.objects.get(id=notice_id)
        except UserNotification.DoesNotExist as e:
            logger.error(e)
-            pass
+            error_msg = 'Notification %s not found.' % notice_id
+            return api_error(status.HTTP_404_NOT_FOUND, error_msg)
+
+        # permission check
+        username = request.user.username
+        if notice.to_user != username:
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)

        if not notice.seen:
            notice.seen = True
            notice.save()

-        username = request.user.username
        cache_key = get_cache_key_of_unseen_notifications(username)
        cache.delete(cache_key)

--- a/tests/api/endpoints/test_notifications.py
+++ b/tests/api/endpoints/test_notifications.py
@ -1,6 +1,7 @@
 import json
 from seahub.test_utils import BaseTestCase
 from seahub.notifications.models import UserNotification
+from seahub.base.accounts import UserManager

 class NotificationsTest(BaseTestCase):
    def setUp(self):
@ -58,3 +59,29 @@ class NotificationTest(BaseTestCase):
        self.assertEqual(200, resp.status_code)

        assert UserNotification.objects.count_unseen_user_notifications(self.username) == 0
+
+    def test_argument_check_notice_id_invalid(self):
+        self.login_as(self.user)
+        data = 'notice_id=%s' % 'a'
+
+        resp = self.client.put(self.endpoint, data, 'application/x-www-form-urlencoded')
+        self.assertEqual(400, resp.status_code)
+
+    def test_resource_check_notification_not_found(self):
+        self.login_as(self.user)
+        notice1 = UserNotification.objects.add_user_message(self.username, 'test1')
+        notice2 = UserNotification.objects.add_user_message(self.username, 'test2')
+        data = 'notice_id=%s' % str(notice2.id + 1)
+
+        resp = self.client.put(self.endpoint, data, 'application/x-www-form-urlencoded')
+        self.assertEqual(404, resp.status_code)
+
+    def test_permission_check_permission_denied(self):
+        self.login_as(self.user)
+        new_user = UserManager().create_user(email='new@new.com', password='root')
+        notice_to_new_user = UserNotification.objects.add_user_message(new_user.name, 'test for new user')
+        data = 'notice_id=%s' % notice_to_new_user.id
+
+        resp = self.client.put(self.endpoint, data, 'application/x-www-form-urlencoded')
+        self.assertEqual(403, resp.status_code)
+