mirror of
https://github.com/filebrowser/filebrowser.git
synced 2026-07-18 00:45:47 +00:00
fix: check share owner permissions on public share access (#5888)
This commit is contained in:
parent
65a837de49
commit
7dbf7a3528
2 changed files with 40 additions and 1 deletions
|
|
@ -33,6 +33,10 @@ var withHashFile = func(fn handleFunc) handleFunc {
|
|||
return errToStatus(err), err
|
||||
}
|
||||
|
||||
if !user.Perm.Share || !user.Perm.Download {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
d.user = user
|
||||
|
||||
file, err := files.NewFileInfo(&files.FileOptions{
|
||||
|
|
|
|||
|
|
@ -23,38 +23,66 @@ func TestPublicShareHandlerAuthentication(t *testing.T) {
|
|||
testCases := map[string]struct {
|
||||
share *share.Link
|
||||
req *http.Request
|
||||
sharePerm bool
|
||||
downloadPerm bool
|
||||
expectedStatusCode int
|
||||
}{
|
||||
"Public share, no auth required": {
|
||||
share: &share.Link{Hash: "h", UserID: 1},
|
||||
req: newHTTPRequest(t),
|
||||
sharePerm: true,
|
||||
downloadPerm: true,
|
||||
expectedStatusCode: 200,
|
||||
},
|
||||
"Private share, no auth provided, 401": {
|
||||
share: &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
|
||||
req: newHTTPRequest(t),
|
||||
sharePerm: true,
|
||||
downloadPerm: true,
|
||||
expectedStatusCode: 401,
|
||||
},
|
||||
"Private share, authentication via token": {
|
||||
share: &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
|
||||
req: newHTTPRequest(t, func(r *http.Request) { r.URL.RawQuery = "token=123" }),
|
||||
sharePerm: true,
|
||||
downloadPerm: true,
|
||||
expectedStatusCode: 200,
|
||||
},
|
||||
"Private share, authentication via invalid token, 401": {
|
||||
share: &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
|
||||
req: newHTTPRequest(t, func(r *http.Request) { r.URL.RawQuery = "token=1234" }),
|
||||
sharePerm: true,
|
||||
downloadPerm: true,
|
||||
expectedStatusCode: 401,
|
||||
},
|
||||
"Private share, authentication via password": {
|
||||
share: &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
|
||||
req: newHTTPRequest(t, func(r *http.Request) { r.Header.Set("X-SHARE-PASSWORD", "password") }),
|
||||
sharePerm: true,
|
||||
downloadPerm: true,
|
||||
expectedStatusCode: 200,
|
||||
},
|
||||
"Private share, authentication via invalid password, 401": {
|
||||
share: &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
|
||||
req: newHTTPRequest(t, func(r *http.Request) { r.Header.Set("X-SHARE-PASSWORD", "wrong-password") }),
|
||||
sharePerm: true,
|
||||
downloadPerm: true,
|
||||
expectedStatusCode: 401,
|
||||
},
|
||||
"Share owner lost share permission, 403": {
|
||||
share: &share.Link{Hash: "h", UserID: 1},
|
||||
req: newHTTPRequest(t),
|
||||
sharePerm: false,
|
||||
downloadPerm: true,
|
||||
expectedStatusCode: 403,
|
||||
},
|
||||
"Share owner lost download permission, 403": {
|
||||
share: &share.Link{Hash: "h", UserID: 1},
|
||||
req: newHTTPRequest(t),
|
||||
sharePerm: true,
|
||||
downloadPerm: false,
|
||||
expectedStatusCode: 403,
|
||||
},
|
||||
}
|
||||
|
||||
for name, tc := range testCases {
|
||||
|
|
@ -82,7 +110,14 @@ func TestPublicShareHandlerAuthentication(t *testing.T) {
|
|||
if err := storage.Share.Save(tc.share); err != nil {
|
||||
t.Fatalf("failed to save share: %v", err)
|
||||
}
|
||||
if err := storage.Users.Save(&users.User{Username: "username", Password: "pw"}); err != nil {
|
||||
if err := storage.Users.Save(&users.User{
|
||||
Username: "username",
|
||||
Password: "pw",
|
||||
Perm: users.Permissions{
|
||||
Share: tc.sharePerm,
|
||||
Download: tc.downloadPerm,
|
||||
},
|
||||
}); err != nil {
|
||||
t.Fatalf("failed to save user: %v", err)
|
||||
}
|
||||
if err := storage.Settings.Save(&settings.Settings{Key: []byte("key")}); err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue