misc: don't allow users to delete other users files (#41493)
This commit is contained in:
parent
8a75f77f8d
commit
be42fd625f
|
@ -128,7 +128,7 @@ class PickList(PickView, Homepage):
|
|||
return super(PickList, self).post(request, *args, **kwargs)
|
||||
|
||||
|
||||
class Delete(Logger, DeleteView):
|
||||
class Delete(Logger, Documents, DeleteView):
|
||||
model = models.UserDocument
|
||||
|
||||
def delete(self, request, *args, **kwargs):
|
||||
|
|
|
@ -101,3 +101,31 @@ def test_pick(app, private_settings, john_doe, user_doc):
|
|||
response = response.forms[0].submit('Pick')
|
||||
assert response['Location'].startswith(return_url)
|
||||
assert '?url=' in response['Location']
|
||||
|
||||
|
||||
def test_delete(app, john_doe, jane_doe):
|
||||
login(app, user=john_doe)
|
||||
resp = app.get('/')
|
||||
resp.form['content'] = Upload('monfichier.txt', b'coin', 'text/plain')
|
||||
resp = resp.form.submit().follow()
|
||||
assert 'monfichier.txt' in resp.text
|
||||
assert UserDocument.objects.all().count() == 1
|
||||
resp = resp.click(href=r'.*delete/')
|
||||
resp = resp.form.submit().follow()
|
||||
resp = app.get('/')
|
||||
assert 'monfichier.txt' not in resp.text
|
||||
assert UserDocument.objects.all().count() == 0
|
||||
|
||||
# put it back
|
||||
resp.form['content'] = Upload('monfichier.txt', b'coin', 'text/plain')
|
||||
resp = resp.form.submit().follow()
|
||||
assert 'monfichier.txt' in resp.text
|
||||
assert UserDocument.objects.all().count() == 1
|
||||
resp = resp.click(href=r'.*delete/')
|
||||
delete_url = resp.request.url
|
||||
|
||||
# login as another user
|
||||
login(app, user=jane_doe)
|
||||
resp = app.get('/')
|
||||
assert 'monfichier.txt' not in resp.text
|
||||
resp = app.get(delete_url, status=404)
|
||||
|
|
Loading…
Reference in New Issue