local-it/vikunja-api
0
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix link share creation & creating admin link shares without admin rights

Browse source
This commit is contained in:
kolaente 2020-04-27 11:42:41 +02:00
parent 711124f5c0
commit 56dbb564ea
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
3 changed files with 93 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
pkg/integrations/link_sharing_test.go
View file

@ -54,6 +54,84 @@ func TestLinkSharing(t *testing.T) {
SharedByID: 1, SharedByID: 1,
} }
t.Run("New Link Share", func(t *testing.T) {
testHandler := webHandlerTest{
user: &testuser1,
strFunc: func() handler.CObject {
return &models.LinkSharing{}
},
t: t,
}
t.Run("Forbidden", func(t *testing.T) {
t.Run("read only", func(t *testing.T) {
_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"right":0}`)
assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
})
t.Run("write", func(t *testing.T) {
_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"right":1}`)
assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
})
t.Run("admin", func(t *testing.T) {
_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"right":2}`)
assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
})
})
t.Run("Read only access", func(t *testing.T) {
t.Run("read only", func(t *testing.T) {
_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"right":0}`)
assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
})
t.Run("write", func(t *testing.T) {
_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"right":1}`)
assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
})
t.Run("admin", func(t *testing.T) {
_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"right":2}`)
assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
})
})
t.Run("Write access", func(t *testing.T) {
t.Run("read only", func(t *testing.T) {
req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"right":0}`)
assert.NoError(t, err)
assert.Contains(t, req.Body.String(), `"hash":`)
})
t.Run("write", func(t *testing.T) {
req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"right":1}`)
assert.NoError(t, err)
assert.Contains(t, req.Body.String(), `"hash":`)
})
t.Run("admin", func(t *testing.T) {
_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"right":2}`)
assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
})
})
t.Run("Admin access", func(t *testing.T) {
t.Run("read only", func(t *testing.T) {
req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"right":0}`)
assert.NoError(t, err)
assert.Contains(t, req.Body.String(), `"hash":`)
})
t.Run("write", func(t *testing.T) {
req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"right":1}`)
assert.NoError(t, err)
assert.Contains(t, req.Body.String(), `"hash":`)
})
t.Run("admin", func(t *testing.T) {
req, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"right":2}`)
assert.NoError(t, err)
assert.Contains(t, req.Body.String(), `"hash":`)
})
})
})
t.Run("Lists", func(t *testing.T) { t.Run("Lists", func(t *testing.T) {
testHandlerListReadOnly := webHandlerTest{ testHandlerListReadOnly := webHandlerTest{
linkShare: linkshareRead, linkShare: linkshareRead,

8
pkg/models/link_sharing.go
View file

@ -99,10 +99,16 @@ func GetLinkShareFromClaims(claims jwt.MapClaims) (share *LinkSharing, err error
// @Failure 500 {object} models.Message "Internal error" // @Failure 500 {object} models.Message "Internal error"
// @Router /lists/{list}/shares [put] // @Router /lists/{list}/shares [put]
func (share *LinkSharing) Create(a web.Auth) (err error) { func (share *LinkSharing) Create(a web.Auth) (err error) {
err = share.Right.isValid()
if err != nil {
return
}
share.SharedByID = a.GetID() share.SharedByID = a.GetID()
share.Hash = utils.MakeRandomString(40) share.Hash = utils.MakeRandomString(40)
_, err = x.Insert(share) _, err = x.Insert(share)
share.SharedBy, _ = a.(*user.User) share.SharedBy, _ = user.GetFromAuth(a)
return return
} }

9
pkg/models/link_sharing_rights.go
View file

@ -53,9 +53,16 @@ func (share *LinkSharing) canDoLinkShare(a web.Auth) (bool, error) {
return false, nil return false, nil
} }
l, err := GetListSimplByTaskID(share.ListID) l := &List{ID: share.ListID}
err := l.GetSimpleByID()
if err != nil { if err != nil {
return false, err return false, err
} }
// Check if the user is admin when the link right is admin
if share.Right == RightAdmin {
return l.IsAdmin(a)
}
return l.CanWrite(a) return l.CanWrite(a)
} }