fix bug of user notification (#3230)

* fix bug of user notification

add checks, add test cases for notifications

seahub/api2/endpoints/notifications.py

@@ -5,6 +5,7 @@ from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
+from rest_framework import status
 
 from django.core.cache import cache
 
@@ -123,17 +124,32 @@ class NotificationView(APIView):
 
         notice_id = request.data.get('notice_id')
 
+        # argument check
+        try:
+            int(notice_id)
+        except Exception as e:
+            error_msg = 'notice_id invalid.'
+            logger.error(e)
+            return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
+
+        # resource check
         try:
             notice = UserNotification.objects.get(id=notice_id)
         except UserNotification.DoesNotExist as e:
             logger.error(e)
-            pass
+            error_msg = 'Notification %s not found.' % notice_id
+            return api_error(status.HTTP_404_NOT_FOUND, error_msg)
+
+        # permission check
+        username = request.user.username
+        if notice.to_user != username:
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
         if not notice.seen:
             notice.seen = True
             notice.save()
 
-        username = request.user.username
         cache_key = get_cache_key_of_unseen_notifications(username)
         cache.delete(cache_key)