actesweb: fix demand file permissions (#29774)
This commit is contained in:
parent
4e36e9ae66
commit
1a56a4c21e
|
@ -17,6 +17,7 @@ from __future__ import unicode_literals
|
|||
|
||||
import json
|
||||
import os
|
||||
import stat
|
||||
import tempfile
|
||||
import contextlib
|
||||
|
||||
|
@ -85,6 +86,9 @@ class ActesWeb(BaseResource):
|
|||
tpf.write(demand_content)
|
||||
tpf.flush()
|
||||
os.fsync(tpf.file.fileno())
|
||||
os.rename(tpf.name, filepath)
|
||||
tempfile_name = tpf.name
|
||||
os.rename(tempfile_name, filepath)
|
||||
# set read only permission for owner and group
|
||||
os.chmod(filepath, stat.S_IRUSR|stat.S_IRGRP)
|
||||
demand_id = '%s_%s' % (application_id, os.path.basename(filepath))
|
||||
return {'data': {'demand_id': demand_id}}
|
||||
|
|
|
@ -20,6 +20,7 @@ import json
|
|||
import io
|
||||
import os
|
||||
import shutil
|
||||
import stat
|
||||
|
||||
import pytest
|
||||
|
||||
|
@ -155,6 +156,11 @@ def test_demand_creation(app, payload, actesweb):
|
|||
response = app.post_json(url, params=payload['death'])
|
||||
demand_id = response.json['data']['demand_id']
|
||||
demfile = get_demand_filepath(actesweb, demand_id)
|
||||
# make sure only owner and group can read file
|
||||
assert bool(os.stat(demfile).st_mode & stat.S_IRGRP)
|
||||
assert bool(os.stat(demfile).st_mode & stat.S_IRUSR)
|
||||
# and no others
|
||||
assert not bool(os.stat(demfile).st_mode & stat.S_IRWXO)
|
||||
assert_file_content_values(
|
||||
demfile, dict(
|
||||
DEMANDEUR_CIVILITE="Madame",
|
||||
|
|
Loading…
Reference in New Issue