mirror of
https://github.com/photoprism/photoprism.git
synced 2026-07-17 16:49:04 +00:00
API: Cover shared-only session access to the files endpoint
Add a GetFile subtest asserting a shared-only (guest) session receives no file details from /api/v1/files/:hash, locking in the per-session access behavior. Per-photo file scope is covered separately by search.TestFileVisibleToSession.
This commit is contained in:
parent
7d9fee0aa4
commit
cd44267bce
1 changed files with 17 additions and 0 deletions
|
|
@ -7,6 +7,8 @@ import (
|
|||
"github.com/tidwall/gjson"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
"github.com/photoprism/photoprism/internal/config"
|
||||
)
|
||||
|
||||
func TestGetFile(t *testing.T) {
|
||||
|
|
@ -25,4 +27,19 @@ func TestGetFile(t *testing.T) {
|
|||
r := PerformRequest(app, "GET", "/api/v1/files/111")
|
||||
assert.Equal(t, http.StatusNotFound, r.Code)
|
||||
})
|
||||
t.Run("SharedOnlySessionDenied", func(t *testing.T) {
|
||||
app, router, conf := NewApiTest()
|
||||
conf.SetAuthMode(config.AuthModePasswd)
|
||||
defer conf.SetAuthMode(config.AuthModePublic)
|
||||
|
||||
GetFile(router)
|
||||
|
||||
// A shared-only (guest) session has no files access, so the endpoint denies the request
|
||||
// at the ACL check before the visibility gate. Per-photo file scope (the gate that returns
|
||||
// 404 for an out-of-scope file when the role does have files access, e.g. a viewer in
|
||||
// Plus/Pro) is covered by search.TestFileVisibleToSession.
|
||||
authToken := AuthenticateUser(app, router, "gandalf", "Gandalf123!")
|
||||
r := AuthenticatedRequest(app, "GET", "/api/v1/files/2cad9168fa6acc5c5c2965ddf6ec465ca42fd818", authToken)
|
||||
assert.Equal(t, http.StatusForbidden, r.Code)
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue