misc: don't allow users to delete other users files (#41493)

2020-04-08 21:31:20 +02:00 · 2020-04-08 21:31:20 +02:00 · be42fd625f
parent 8a75f77f8d
commit be42fd625f
2 changed files with 29 additions and 1 deletions
--- a/fargo/fargo/views.py
+++ b/fargo/fargo/views.py
@ -128,7 +128,7 @@ class PickList(PickView, Homepage):
        return super(PickList, self).post(request, *args, **kwargs)


-class Delete(Logger, DeleteView):
+class Delete(Logger, Documents, DeleteView):
    model = models.UserDocument

    def delete(self, request, *args, **kwargs):
--- a/tests/test_public.py
+++ b/tests/test_public.py
@ -101,3 +101,31 @@ def test_pick(app, private_settings, john_doe, user_doc):
    response = response.forms[0].submit('Pick')
    assert response['Location'].startswith(return_url)
    assert '?url=' in response['Location']
+
+
+def test_delete(app, john_doe, jane_doe):
+    login(app, user=john_doe)
+    resp = app.get('/')
+    resp.form['content'] = Upload('monfichier.txt', b'coin', 'text/plain')
+    resp = resp.form.submit().follow()
+    assert 'monfichier.txt' in resp.text
+    assert UserDocument.objects.all().count() == 1
+    resp = resp.click(href=r'.*delete/')
+    resp = resp.form.submit().follow()
+    resp = app.get('/')
+    assert 'monfichier.txt' not in resp.text
+    assert UserDocument.objects.all().count() == 0
+
+    # put it back
+    resp.form['content'] = Upload('monfichier.txt', b'coin', 'text/plain')
+    resp = resp.form.submit().follow()
+    assert 'monfichier.txt' in resp.text
+    assert UserDocument.objects.all().count() == 1
+    resp = resp.click(href=r'.*delete/')
+    delete_url = resp.request.url
+
+    # login as another user
+    login(app, user=jane_doe)
+    resp = app.get('/')
+    assert 'monfichier.txt' not in resp.text
+    resp = app.get(delete_url, status=404)