diff --git a/pkg/integrations/link_sharing_test.go b/pkg/integrations/link_sharing_test.go index d3e9af95..5d5aa285 100644 --- a/pkg/integrations/link_sharing_test.go +++ b/pkg/integrations/link_sharing_test.go @@ -54,6 +54,84 @@ func TestLinkSharing(t *testing.T) { SharedByID: 1, } + t.Run("New Link Share", func(t *testing.T) { + testHandler := webHandlerTest{ + user: &testuser1, + strFunc: func() handler.CObject { + return &models.LinkSharing{} + }, + t: t, + } + t.Run("Forbidden", func(t *testing.T) { + t.Run("read only", func(t *testing.T) { + _, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"right":0}`) + assert.Error(t, err) + assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) + }) + t.Run("write", func(t *testing.T) { + _, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"right":1}`) + assert.Error(t, err) + assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) + }) + t.Run("admin", func(t *testing.T) { + _, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"right":2}`) + assert.Error(t, err) + assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) + }) + }) + t.Run("Read only access", func(t *testing.T) { + t.Run("read only", func(t *testing.T) { + _, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"right":0}`) + assert.Error(t, err) + assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) + }) + t.Run("write", func(t *testing.T) { + _, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"right":1}`) + assert.Error(t, err) + assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) + }) + t.Run("admin", func(t *testing.T) { + _, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"right":2}`) + assert.Error(t, err) + assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) + }) + }) + t.Run("Write access", func(t *testing.T) { + t.Run("read only", func(t *testing.T) { + req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"right":0}`) + assert.NoError(t, err) + assert.Contains(t, req.Body.String(), `"hash":`) + }) + t.Run("write", func(t *testing.T) { + req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"right":1}`) + assert.NoError(t, err) + assert.Contains(t, req.Body.String(), `"hash":`) + }) + t.Run("admin", func(t *testing.T) { + _, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"right":2}`) + assert.Error(t, err) + assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) + }) + }) + t.Run("Admin access", func(t *testing.T) { + t.Run("read only", func(t *testing.T) { + req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"right":0}`) + assert.NoError(t, err) + assert.Contains(t, req.Body.String(), `"hash":`) + }) + t.Run("write", func(t *testing.T) { + req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"right":1}`) + assert.NoError(t, err) + assert.Contains(t, req.Body.String(), `"hash":`) + }) + t.Run("admin", func(t *testing.T) { + req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"right":2}`) + assert.NoError(t, err) + assert.Contains(t, req.Body.String(), `"hash":`) + }) + }) + }) + t.Run("Lists", func(t *testing.T) { testHandlerListReadOnly := webHandlerTest{ linkShare: linkshareRead, diff --git a/pkg/models/link_sharing.go b/pkg/models/link_sharing.go index 0f5da6a0..2631fc1c 100644 --- a/pkg/models/link_sharing.go +++ b/pkg/models/link_sharing.go @@ -99,10 +99,16 @@ func GetLinkShareFromClaims(claims jwt.MapClaims) (share *LinkSharing, err error // @Failure 500 {object} models.Message "Internal error" // @Router /lists/{list}/shares [put] func (share *LinkSharing) Create(a web.Auth) (err error) { + + err = share.Right.isValid() + if err != nil { + return + } + share.SharedByID = a.GetID() share.Hash = utils.MakeRandomString(40) _, err = x.Insert(share) - share.SharedBy, _ = a.(*user.User) + share.SharedBy, _ = user.GetFromAuth(a) return } diff --git a/pkg/models/link_sharing_rights.go b/pkg/models/link_sharing_rights.go index f6990b10..790ef3e0 100644 --- a/pkg/models/link_sharing_rights.go +++ b/pkg/models/link_sharing_rights.go @@ -53,9 +53,16 @@ func (share *LinkSharing) canDoLinkShare(a web.Auth) (bool, error) { return false, nil } - l, err := GetListSimplByTaskID(share.ListID) + l := &List{ID: share.ListID} + err := l.GetSimpleByID() if err != nil { return false, err } + + // Check if the user is admin when the link right is admin + if share.Right == RightAdmin { + return l.IsAdmin(a) + } + return l.CanWrite(a) }