redmine_plugins/redmine_dmsf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

The project access check when listing a folder

Browse Source
This commit is contained in:
Karel Pičman 2019-04-30 13:37:14 +02:00
parent 7d1a7c25b6
commit 036278dede
3 changed files with 33 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
app/controllers/dmsf_controller.rb
View File

@ -546,7 +546,7 @@ class DmsfController < ApplicationController
end end
def find_folder def find_folder
@folder = DmsfFolder.find params[:folder_id] if params[:folder_id].present? @folder = DmsfFolder.find_by!(id: params[:folder_id], project_id: @project.id) if params[:folder_id].present?
rescue DmsfAccessError rescue DmsfAccessError
render_403 render_403
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
@ -554,13 +554,10 @@ class DmsfController < ApplicationController
end end
def find_folder_by_title def find_folder_by_title
# find by title has to be scoped to project if !@folder && params[:folder_title].present?
project = Project.find(params[:id]) @folder = DmsfFolder.find_by(title: params[:folder_title], project_id: @project.id)
@folder = DmsfFolder.find_by(title: params[:folder_title], project_id: project.id) if params[:folder_title].present? render_404 unless @folder
rescue DmsfAccessError end
render_403
rescue ActiveRecord::RecordNotFound
render_404
end end
def find_parent def find_parent

20
test/functional/dmsf_controller_test.rb
View File

@ -32,6 +32,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
@project.enable_module! :dmsf @project.enable_module! :dmsf
@folder1 = DmsfFolder.find 1 @folder1 = DmsfFolder.find 1
@folder2 = DmsfFolder.find 2 @folder2 = DmsfFolder.find 2
@folder3 = DmsfFolder.find 3
@folder4 = DmsfFolder.find 4 @folder4 = DmsfFolder.find 4
@folder7 = DmsfFolder.find 7 @folder7 = DmsfFolder.find 7
@file1 = DmsfFile.find 1 @file1 = DmsfFile.find 1
@ -63,6 +64,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
assert_kind_of Project, @project assert_kind_of Project, @project
assert_kind_of DmsfFolder, @folder1 assert_kind_of DmsfFolder, @folder1
assert_kind_of DmsfFolder, @folder2 assert_kind_of DmsfFolder, @folder2
assert_kind_of DmsfFolder, @folder3
assert_kind_of DmsfFolder, @folder4 assert_kind_of DmsfFolder, @folder4
assert_kind_of DmsfFolder, @folder7 assert_kind_of DmsfFolder, @folder7
assert_kind_of DmsfFile, @file1 assert_kind_of DmsfFile, @file1
@ -129,7 +131,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
def test_delete_ok def test_delete_ok
# Empty and not locked folder # Empty and not locked folder
@role.add_permission! :folder_manipulation @role.add_permission! :folder_manipulation
get :delete, :params => {:id => @project, :folder_id => @folder4.id, :commit => false} get :delete, :params => {:id => @project, :folder_id => @folder1.id, :commit => false}
assert_response :redirect assert_response :redirect
end end
@ -145,9 +147,9 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
# Permissions OK # Permissions OK
@request.env['HTTP_REFERER'] = trash_dmsf_path(:id => @project.id) @request.env['HTTP_REFERER'] = trash_dmsf_path(:id => @project.id)
@role.add_permission! :folder_manipulation @role.add_permission! :folder_manipulation
@folder4.deleted = 1 @folder1.deleted = 1
@folder4.save @folder1.save
get :restore, :params => {:id => @project, :folder_id => @folder4.id} get :restore, :params => {:id => @project, :folder_id => @folder1.id}
assert_response :redirect assert_response :redirect
end end
@ -225,6 +227,14 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
assert_equal 'text/csv', @response.content_type assert_equal 'text/csv', @response.content_type
end end
def test_show_folder_doesnt_correspond_the_project
@role.add_permission! :view_dmsf_files
@role.add_permission! :view_dmsf_folders
# project1 X project2.folder3
get :show, :params => {:id => @project.id, :folder_id => @folder3.id}
assert_response :not_found
end
def test_new_forbidden def test_new_forbidden
@role.remove_permission! :folder_manipulation @role.remove_permission! :folder_manipulation
get :new, :params => {:id => @project, :parent_id => nil} get :new, :params => {:id => @project, :parent_id => nil}
@ -272,7 +282,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
:folders => [], :files => [@file1.id], :zipped_content => zip_file_path :folders => [], :files => [@file1.id], :zipped_content => zip_file_path
} }
} }
assert_redirected_to dmsf_folder_path(:id => @project) assert_redirected_to dmsf_folder_path(id: @project)
assert !File.exist?(zip_file_path) assert !File.exist?(zip_file_path)
ensure ensure
FileUtils.rm_rf(zip_file_path) FileUtils.rm_rf(zip_file_path)

25
test/integration/rest_api/dmsf_folder_api_test.rb
View File

@ -65,7 +65,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders @role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
#curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} http://localhost:3000/dmsf/files/17216.xml #curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} http://localhost:3000/dmsf/files/17216.xml
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}" get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}"
assert_response :success assert_response :success
assert_equal 'application/xml', @response.content_type assert_equal 'application/xml', @response.content_type
# <?xml version="1.0" encoding="UTF-8"?> # <?xml version="1.0" encoding="UTF-8"?>
@ -115,7 +115,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders @role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
#curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} "http://localhost:3000/dmsf/files/17216.xml?limit=1&offset=1" #curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} "http://localhost:3000/dmsf/files/17216.xml?limit=1&offset=1"
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&limit=1&offset=2" get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&limit=1&offset=2"
assert_response :success assert_response :success
assert_equal 'application/xml', @response.content_type assert_equal 'application/xml', @response.content_type
# <?xml version="1.0" encoding="UTF-8"?> # <?xml version="1.0" encoding="UTF-8"?>
@ -151,7 +151,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
<description>A folder created via REST API</description> <description>A folder created via REST API</description>
<dmsf_folder_id/> <dmsf_folder_id/>
</dmsf_folder>} </dmsf_folder>}
post "/projects/#{@project1.id}/dmsf/create.xml?key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'} post "/projects/#{@project1.identifier}/dmsf/create.xml?key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success assert_response :success
# <?xml version="1.0" encoding="UTF-8"?> # <?xml version="1.0" encoding="UTF-8"?>
# <dmsf_folder> # <dmsf_folder>
@ -165,7 +165,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders @role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title # curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_title=#{@folder1.title}" get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_title=#{@folder1.title}"
assert_response :success assert_response :success
assert_equal 'application/xml', @response.content_type assert_equal 'application/xml', @response.content_type
# <?xml version="1.0" encoding="UTF-8"?> # <?xml version="1.0" encoding="UTF-8"?>
@ -193,7 +193,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders @role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title # curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_title=xxx" get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_title=xxx"
assert_response :not_found assert_response :not_found
end end
@ -201,7 +201,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders @role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3 # curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_id=#{@folder1.id}" get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_id=#{@folder1.id}"
assert_response :success assert_response :success
assert_equal 'application/xml', @response.content_type assert_equal 'application/xml', @response.content_type
# <?xml version="1.0" encoding="UTF-8"?> # <?xml version="1.0" encoding="UTF-8"?>
@ -229,7 +229,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders @role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3 # curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_id=99999999999" get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_id=none"
assert_response :not_found assert_response :not_found
end end
@ -242,7 +242,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
<title>rest_api</title> <title>rest_api</title>
<description>A folder updated via REST API</description> <description>A folder updated via REST API</description>
</dmsf_folder>} </dmsf_folder>}
post "/projects/#{@project1.id}/dmsf/save.xml?folder_id=1&key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'} post "/projects/#{@project1.identifier}/dmsf/save.xml?folder_id=1&key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success assert_response :success
# <?xml version="1.0" encoding="UTF-8"?> # <?xml version="1.0" encoding="UTF-8"?>
# <dmsf_folder> # <dmsf_folder>
@ -257,7 +257,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :folder_manipulation @role.add_permission! :folder_manipulation
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3 # curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}", delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
:headers => {'CONTENT_TYPE' => 'application/xml'} :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success assert_response :success
@folder1.reload @folder1.reload
@ -268,16 +268,17 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
def test_delete_folder_no_permission def test_delete_folder_no_permission
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3 # curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}", delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
:headers => {'CONTENT_TYPE' => 'application/xml'} :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :forbidden assert_response :forbidden
end end
def test_delete_folder_commit_yes def test_delete_folder_commit_yes
@role.add_permission! :folder_manipulation @role.add_permission! :folder_manipulation
assert !@folder1.locked?
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3 # curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}&commit=yes", delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}&commit=yes",
:headers => {'CONTENT_TYPE' => 'application/xml'} :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success assert_response :success
assert_nil DmsfFolder.find_by(id: @folder1.id) assert_nil DmsfFolder.find_by(id: @folder1.id)
@ -290,7 +291,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
User.current = @jsmith User.current = @jsmith
token = Token.create!(:user => @jsmith, :action => 'api') token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3 # curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}", delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
:headers => {'CONTENT_TYPE' => 'application/xml'} :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response 422 assert_response 422
# <?xml version="1.0" encoding="UTF-8"?> # <?xml version="1.0" encoding="UTF-8"?>