The project access check when listing a folder
This commit is contained in:
Karel Pičman
parent
7d1a7c25b6
commit
036278dede
@ -546,7 +546,7 @@ class DmsfController < ApplicationController
|
||||
end
|
||||
|
||||
def find_folder
|
||||
@folder = DmsfFolder.find params[:folder_id] if params[:folder_id].present?
|
||||
@folder = DmsfFolder.find_by!(id: params[:folder_id], project_id: @project.id) if params[:folder_id].present?
|
||||
rescue DmsfAccessError
|
||||
render_403
|
||||
rescue ActiveRecord::RecordNotFound
|
||||
@ -554,13 +554,10 @@ class DmsfController < ApplicationController
|
||||
end
|
||||
|
||||
def find_folder_by_title
|
||||
# find by title has to be scoped to project
|
||||
project = Project.find(params[:id])
|
||||
@folder = DmsfFolder.find_by(title: params[:folder_title], project_id: project.id) if params[:folder_title].present?
|
||||
rescue DmsfAccessError
|
||||
render_403
|
||||
rescue ActiveRecord::RecordNotFound
|
||||
render_404
|
||||
if !@folder && params[:folder_title].present?
|
||||
@folder = DmsfFolder.find_by(title: params[:folder_title], project_id: @project.id)
|
||||
render_404 unless @folder
|
||||
end
|
||||
end
|
||||
|
||||
def find_parent
|
||||
|
||||
@ -32,6 +32,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
|
||||
@project.enable_module! :dmsf
|
||||
@folder1 = DmsfFolder.find 1
|
||||
@folder2 = DmsfFolder.find 2
|
||||
@folder3 = DmsfFolder.find 3
|
||||
@folder4 = DmsfFolder.find 4
|
||||
@folder7 = DmsfFolder.find 7
|
||||
@file1 = DmsfFile.find 1
|
||||
@ -63,6 +64,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
|
||||
assert_kind_of Project, @project
|
||||
assert_kind_of DmsfFolder, @folder1
|
||||
assert_kind_of DmsfFolder, @folder2
|
||||
assert_kind_of DmsfFolder, @folder3
|
||||
assert_kind_of DmsfFolder, @folder4
|
||||
assert_kind_of DmsfFolder, @folder7
|
||||
assert_kind_of DmsfFile, @file1
|
||||
@ -129,7 +131,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
|
||||
def test_delete_ok
|
||||
# Empty and not locked folder
|
||||
@role.add_permission! :folder_manipulation
|
||||
get :delete, :params => {:id => @project, :folder_id => @folder4.id, :commit => false}
|
||||
get :delete, :params => {:id => @project, :folder_id => @folder1.id, :commit => false}
|
||||
assert_response :redirect
|
||||
end
|
||||
|
||||
@ -145,9 +147,9 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
|
||||
# Permissions OK
|
||||
@request.env['HTTP_REFERER'] = trash_dmsf_path(:id => @project.id)
|
||||
@role.add_permission! :folder_manipulation
|
||||
@folder4.deleted = 1
|
||||
@folder4.save
|
||||
get :restore, :params => {:id => @project, :folder_id => @folder4.id}
|
||||
@folder1.deleted = 1
|
||||
@folder1.save
|
||||
get :restore, :params => {:id => @project, :folder_id => @folder1.id}
|
||||
assert_response :redirect
|
||||
end
|
||||
|
||||
@ -225,6 +227,14 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
|
||||
assert_equal 'text/csv', @response.content_type
|
||||
end
|
||||
|
||||
def test_show_folder_doesnt_correspond_the_project
|
||||
@role.add_permission! :view_dmsf_files
|
||||
@role.add_permission! :view_dmsf_folders
|
||||
# project1 X project2.folder3
|
||||
get :show, :params => {:id => @project.id, :folder_id => @folder3.id}
|
||||
assert_response :not_found
|
||||
end
|
||||
|
||||
def test_new_forbidden
|
||||
@role.remove_permission! :folder_manipulation
|
||||
get :new, :params => {:id => @project, :parent_id => nil}
|
||||
@ -272,7 +282,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
|
||||
:folders => [], :files => [@file1.id], :zipped_content => zip_file_path
|
||||
}
|
||||
}
|
||||
assert_redirected_to dmsf_folder_path(:id => @project)
|
||||
assert_redirected_to dmsf_folder_path(id: @project)
|
||||
assert !File.exist?(zip_file_path)
|
||||
ensure
|
||||
FileUtils.rm_rf(zip_file_path)
|
||||
|
||||
@ -65,7 +65,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
@role.add_permission! :view_dmsf_folders
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
#curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} http://localhost:3000/dmsf/files/17216.xml
|
||||
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}"
|
||||
get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}"
|
||||
assert_response :success
|
||||
assert_equal 'application/xml', @response.content_type
|
||||
# <?xml version="1.0" encoding="UTF-8"?>
|
||||
@ -115,7 +115,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
@role.add_permission! :view_dmsf_folders
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
#curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} "http://localhost:3000/dmsf/files/17216.xml?limit=1&offset=1"
|
||||
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&limit=1&offset=2"
|
||||
get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&limit=1&offset=2"
|
||||
assert_response :success
|
||||
assert_equal 'application/xml', @response.content_type
|
||||
# <?xml version="1.0" encoding="UTF-8"?>
|
||||
@ -151,7 +151,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
<description>A folder created via REST API</description>
|
||||
<dmsf_folder_id/>
|
||||
</dmsf_folder>}
|
||||
post "/projects/#{@project1.id}/dmsf/create.xml?key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
post "/projects/#{@project1.identifier}/dmsf/create.xml?key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
assert_response :success
|
||||
# <?xml version="1.0" encoding="UTF-8"?>
|
||||
# <dmsf_folder>
|
||||
@ -165,7 +165,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
@role.add_permission! :view_dmsf_folders
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title
|
||||
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_title=#{@folder1.title}"
|
||||
get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_title=#{@folder1.title}"
|
||||
assert_response :success
|
||||
assert_equal 'application/xml', @response.content_type
|
||||
# <?xml version="1.0" encoding="UTF-8"?>
|
||||
@ -193,7 +193,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
@role.add_permission! :view_dmsf_folders
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title
|
||||
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_title=xxx"
|
||||
get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_title=xxx"
|
||||
assert_response :not_found
|
||||
end
|
||||
|
||||
@ -201,7 +201,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
@role.add_permission! :view_dmsf_folders
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3
|
||||
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_id=#{@folder1.id}"
|
||||
get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_id=#{@folder1.id}"
|
||||
assert_response :success
|
||||
assert_equal 'application/xml', @response.content_type
|
||||
# <?xml version="1.0" encoding="UTF-8"?>
|
||||
@ -229,7 +229,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
@role.add_permission! :view_dmsf_folders
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3
|
||||
get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_id=99999999999"
|
||||
get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_id=none"
|
||||
assert_response :not_found
|
||||
end
|
||||
|
||||
@ -242,7 +242,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
<title>rest_api</title>
|
||||
<description>A folder updated via REST API</description>
|
||||
</dmsf_folder>}
|
||||
post "/projects/#{@project1.id}/dmsf/save.xml?folder_id=1&key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
post "/projects/#{@project1.identifier}/dmsf/save.xml?folder_id=1&key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
assert_response :success
|
||||
# <?xml version="1.0" encoding="UTF-8"?>
|
||||
# <dmsf_folder>
|
||||
@ -257,7 +257,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
@role.add_permission! :folder_manipulation
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
|
||||
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
|
||||
delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
|
||||
:headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
assert_response :success
|
||||
@folder1.reload
|
||||
@ -268,16 +268,17 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
def test_delete_folder_no_permission
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
|
||||
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
|
||||
delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
|
||||
:headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
assert_response :forbidden
|
||||
end
|
||||
|
||||
def test_delete_folder_commit_yes
|
||||
@role.add_permission! :folder_manipulation
|
||||
assert !@folder1.locked?
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
|
||||
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}&commit=yes",
|
||||
delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}&commit=yes",
|
||||
:headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
assert_response :success
|
||||
assert_nil DmsfFolder.find_by(id: @folder1.id)
|
||||
@ -290,7 +291,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
|
||||
User.current = @jsmith
|
||||
token = Token.create!(:user => @jsmith, :action => 'api')
|
||||
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
|
||||
delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
|
||||
delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
|
||||
:headers => {'CONTENT_TYPE' => 'application/xml'}
|
||||
assert_response 422
|
||||
# <?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user