actesweb: fix demand file permissions (#29774)

2019-01-15 16:05:33 +01:00 · 2019-01-15 16:05:33 +01:00 · 1a56a4c21e
parent 4e36e9ae66
commit 1a56a4c21e
2 changed files with 11 additions and 1 deletions
--- a/passerelle/apps/actesweb/models.py
+++ b/passerelle/apps/actesweb/models.py
@ -17,6 +17,7 @@ from __future__ import unicode_literals

 import json
 import os
+import stat
 import tempfile
 import contextlib

@ -85,6 +86,9 @@ class ActesWeb(BaseResource):
            tpf.write(demand_content)
            tpf.flush()
            os.fsync(tpf.file.fileno())
-            os.rename(tpf.name, filepath)
+            tempfile_name = tpf.name
+        os.rename(tempfile_name, filepath)
+        # set read only permission for owner and group
+        os.chmod(filepath, stat.S_IRUSR|stat.S_IRGRP)
        demand_id = '%s_%s' % (application_id, os.path.basename(filepath))
        return {'data': {'demand_id': demand_id}}
--- a/tests/test_actesweb.py
+++ b/tests/test_actesweb.py
@ -20,6 +20,7 @@ import json
 import io
 import os
 import shutil
+import stat

 import pytest

@ -155,6 +156,11 @@ def test_demand_creation(app, payload, actesweb):
        response = app.post_json(url, params=payload['death'])
        demand_id = response.json['data']['demand_id']
        demfile = get_demand_filepath(actesweb, demand_id)
+        # make sure only owner and group can read file
+        assert bool(os.stat(demfile).st_mode & stat.S_IRGRP)
+        assert bool(os.stat(demfile).st_mode & stat.S_IRUSR)
+        # and no others
+        assert not bool(os.stat(demfile).st_mode & stat.S_IRWXO)
        assert_file_content_values(
            demfile, dict(
                DEMANDEUR_CIVILITE="Madame",