diff --git a/seahub/api2/endpoints/share_links.py b/seahub/api2/endpoints/share_links.py index 3ff6628e25..969b966939 100644 --- a/seahub/api2/endpoints/share_links.py +++ b/seahub/api2/endpoints/share_links.py @@ -226,6 +226,10 @@ class ShareLinks(APIView): error_msg = 'Library %s not found.' % repo_id return api_error(status.HTTP_404_NOT_FOUND, error_msg) + if repo.encrypted: + error_msg = 'Permission denied.' + return api_error(status.HTTP_403_FORBIDDEN, error_msg) + try: obj_id, s_type = self._generate_obj_id_and_type_by_path(repo_id, path) except SearpcError as e: diff --git a/seahub/test_utils.py b/seahub/test_utils.py index 4722575188..577fe29e9e 100644 --- a/seahub/test_utils.py +++ b/seahub/test_utils.py @@ -61,6 +61,18 @@ class Fixtures(Exam): passwd=None)) return r + @fixture + def enc_repo(self): + r = seafile_api.get_repo(self.create_repo(name='test-enc-repo', desc='', + username=self.user.username, + passwd='123')) + + self.create_file(repo_id=r.id, parent_dir='/', + filename='test.txt', username='test@test.com') + + assert r is not None + return r + @fixture def file(self): return self.create_file(repo_id=self.repo.id, @@ -328,6 +340,7 @@ class Fixtures(Exam): class BaseTestCase(TestCase, Fixtures): def tearDown(self): self.remove_repo(self.repo.id) + self.remove_repo(self.enc_repo.id) def login_as(self, user, password=None): if isinstance(user, basestring): diff --git a/seahub/views/repo.py b/seahub/views/repo.py index fcea269692..ae07745866 100644 --- a/seahub/views/repo.py +++ b/seahub/views/repo.py @@ -195,6 +195,9 @@ def view_shared_dir(request, fileshare): if not repo: raise Http404 + if repo.encrypted: + return render_error(request, _(u'Permission denied')) + # Check path still exist, otherwise show error if not seafile_api.get_dir_id_by_path(repo.id, fileshare.path): return render_error(request, _('"%s" does not exist.') % fileshare.path) diff --git a/tests/api/endpoints/test_share_links.py b/tests/api/endpoints/test_share_links.py index a5e616e30c..acf69e46cf 100644 --- a/tests/api/endpoints/test_share_links.py +++ b/tests/api/endpoints/test_share_links.py @@ -1,8 +1,10 @@ # -*- coding: utf-8 -*- import json -from mock import patch +from mock import patch +from seaserv import seafile_api from django.core.urlresolvers import reverse + from seahub.test_utils import BaseTestCase from seahub.share.models import FileShare from seahub.api2.permissions import CanGenerateShareLink @@ -103,6 +105,18 @@ class ShareLinksTest(BaseTestCase): self._remove_share_link(json_resp['token']) + def test_create_file_share_link_in_enc_repo(self): + self.login_as(self.user) + + resp = self.client.post(self.url, {'path': '/', 'repo_id': self.enc_repo.id}) + self.assertEqual(403, resp.status_code) + + def test_create_file_share_link_in_other_repo(self): + self.login_as(self.admin) + + resp = self.client.post(self.url, {'path': self.file_path, 'repo_id': self.repo_id}) + self.assertEqual(403, resp.status_code) + def test_create_file_share_link_with_permissions(self): self.login_as(self.user) diff --git a/tests/seahub/views/ajax/test_get_dirents.py b/tests/seahub/views/ajax/test_get_dirents.py index 5fafd0d5fd..f2ffe83d12 100644 --- a/tests/seahub/views/ajax/test_get_dirents.py +++ b/tests/seahub/views/ajax/test_get_dirents.py @@ -1,17 +1,31 @@ import json +from seaserv import seafile_api from django.core.urlresolvers import reverse from seahub.test_utils import BaseTestCase class GetDirentsTest(BaseTestCase): def setUp(self): - self.login_as(self.user) - file = self.file + a = self.file # create a file self.url = reverse('get_dirents', args=[self.repo.id]) + "?path=/" def test_can_get(self): + self.login_as(self.user) resp = self.client.get(self.url, HTTP_X_REQUESTED_WITH='XMLHttpRequest') + self.assertEqual(200, resp.status_code) json_resp = json.loads(resp.content) assert len(json_resp) == 1 + + def test_cannot_get_others(self): + self.login_as(self.admin) + resp = self.client.get(self.url, HTTP_X_REQUESTED_WITH='XMLHttpRequest') + self.assertEqual(403, resp.status_code) + + def test_get_entries_in_enc_repo(self): + self.login_as(self.user) + + url = reverse('get_dirents', args=[self.enc_repo.id]) + "?path=/" + resp = self.client.get(url, HTTP_X_REQUESTED_WITH='XMLHttpRequest') + self.assertEqual(200, resp.status_code) diff --git a/tests/seahub/views/repo/test_shared_dir.py b/tests/seahub/views/repo/test_view_shared_dir.py similarity index 92% rename from tests/seahub/views/repo/test_shared_dir.py rename to tests/seahub/views/repo/test_view_shared_dir.py index 6f978b4568..bcfa2c2bb7 100644 --- a/tests/seahub/views/repo/test_shared_dir.py +++ b/tests/seahub/views/repo/test_view_shared_dir.py @@ -28,6 +28,21 @@ class SharedDirTest(TestCase, Fixtures): self.assertContains(resp, '

%s

' % self.repo.name) + def test_cannot_render_enc_repo(self): + share_file_info = { + 'username': 'test@test.com', + 'repo_id': self.enc_repo.id, + 'path': '/', + 'password': None, + 'expire_date': None, + } + fs = FileShare.objects.create_dir_link(**share_file_info) + resp = self.client.get( + reverse('view_shared_dir', args=[fs.token]) + ) + self.assertEqual(200, resp.status_code) + self.assertTemplateUsed(resp, 'error.html') + def test_view_raw_file_via_shared_dir(self): resp = self.client.get( reverse('view_file_via_shared_dir', args=[self.fs.token]) + '?p=' + self.file + '&raw=1'