#1179 request uri encoding

2020-10-19 15:47:29 +02:00 · 2020-10-19 15:47:29 +02:00 · 3dd8285841
commit 3dd8285841
parent 0dbb00e8c9
2 changed files with 9 additions and 1 deletions
--- a/lib/redmine_dmsf/webdav/dmsf_resource.rb
+++ b/lib/redmine_dmsf/webdav/dmsf_resource.rb
@ -175,7 +175,8 @@ module RedmineDmsf
          end
        elsif folder
          # To fullfil Litmus requirements to not delete folder if fragments are in the URL
-          uri = URI(request.get_header('REQUEST_URI'))
+          uri = URI(uri_encode(request.get_header('REQUEST_URI')))
+          puts uri.fragment
          raise BadRequest if uri.fragment.present?
          raise Forbidden unless User.current.admin? || User.current.allowed_to?(:folder_manipulation, project)
          raise Forbidden unless DmsfFolder.permissions?(folder, false)
--- a/test/integration/webdav/dmsf_webdav_delete_test.rb
+++ b/test/integration/webdav/dmsf_webdav_delete_test.rb
@ -202,6 +202,13 @@ class DmsfWebdavDeleteTest < RedmineDmsf::Test::IntegrationTest
    assert_response :success
  end

+  def test_delete_folder_in_subproject_brackets
+    project3_uri = Addressable::URI.encode(RedmineDmsf::Webdav::ProjectResource.create_project_name(@project3))
+    project1_uri = Addressable::URI.encode(RedmineDmsf::Webdav::ProjectResource.create_project_name(@project1))
+    delete "/dmsf/webdav/#{project1_uri}/#{project3_uri}/#{@folder10.title}", params: nil, headers: @admin
+    assert_response :success
+  end
+
  def test_delete_subproject
    delete "/dmsf/webdav/#{@project1.identifier}/#{@project3.identifier}", params: nil, headers: @admin
    assert_response :method_not_allowed