Check for authorship on edit and delete attempts

This commit is contained in:
Arthur Schiwon 2016-02-04 12:57:48 +01:00
parent cd16ba5cb3
commit a480b2261b
2 changed files with 184 additions and 1 deletions

View File

@ -27,6 +27,7 @@ use OCP\Comments\ICommentsManager;
use OCP\ILogger;
use OCP\IUserManager;
use OCP\IUserSession;
use Sabre\DAV\Exception\Forbidden;
use Sabre\DAV\Exception\MethodNotAllowed;
use Sabre\DAV\PropPatch;
@ -112,12 +113,23 @@ class CommentNode implements \Sabre\DAV\INode, \Sabre\DAV\IProperties {
];
}
protected function checkWriteAccessOnComment() {
$user = $this->userSession->getUser();
if( $this->comment->getActorType() !== 'users'
|| is_null($user)
|| $this->comment->getActorId() !== $user->getUID()
) {
throw new Forbidden('Only authors are allowed to edit their comment.');
}
}
/**
* Deleted the current node
*
* @return void
*/
function delete() {
$this->checkWriteAccessOnComment();
$this->commentsManager->delete($this->comment->getId());
}
@ -156,8 +168,10 @@ class CommentNode implements \Sabre\DAV\INode, \Sabre\DAV\IProperties {
*
* @param $propertyValue
* @return bool
* @throws Forbidden
*/
public function updateComment($propertyValue) {
$this->checkWriteAccessOnComment();
try {
$this->comment->setMessage($propertyValue);
$this->commentsManager->save($this->comment);

View File

@ -51,10 +51,28 @@ class CommentsNode extends \Test\TestCase {
}
public function testDelete() {
$user = $this->getMock('\OCP\IUser');
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('alice'));
$this->userSession->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$this->comment->expects($this->once())
->method('getId')
->will($this->returnValue('19'));
$this->comment->expects($this->any())
->method('getActorType')
->will($this->returnValue('users'));
$this->comment->expects($this->any())
->method('getActorId')
->will($this->returnValue('alice'));
$this->commentsManager->expects($this->once())
->method('delete')
->with('19');
@ -62,6 +80,37 @@ class CommentsNode extends \Test\TestCase {
$this->node->delete();
}
/**
* @expectedException \Sabre\DAV\Exception\Forbidden
*/
public function testDeleteForbidden() {
$user = $this->getMock('\OCP\IUser');
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('mallory'));
$this->userSession->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$this->comment->expects($this->never())
->method('getId');
$this->comment->expects($this->any())
->method('getActorType')
->will($this->returnValue('users'));
$this->comment->expects($this->any())
->method('getActorId')
->will($this->returnValue('alice'));
$this->commentsManager->expects($this->never())
->method('delete');
$this->node->delete();
}
public function testGetName() {
$id = '19';
$this->comment->expects($this->once())
@ -85,10 +134,28 @@ class CommentsNode extends \Test\TestCase {
public function testUpdateComment() {
$msg = 'Hello Earth';
$user = $this->getMock('\OCP\IUser');
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('alice'));
$this->userSession->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$this->comment->expects($this->once())
->method('setMessage')
->with($msg);
$this->comment->expects($this->any())
->method('getActorType')
->will($this->returnValue('users'));
$this->comment->expects($this->any())
->method('getActorId')
->will($this->returnValue('alice'));
$this->commentsManager->expects($this->once())
->method('save')
->with($this->comment);
@ -96,14 +163,32 @@ class CommentsNode extends \Test\TestCase {
$this->assertTrue($this->node->updateComment($msg));
}
public function testUpdateCommentException() {
public function testUpdateCommentLogException() {
$msg = null;
$user = $this->getMock('\OCP\IUser');
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('alice'));
$this->userSession->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$this->comment->expects($this->once())
->method('setMessage')
->with($msg)
->will($this->throwException(new \Exception('buh!')));
$this->comment->expects($this->any())
->method('getActorType')
->will($this->returnValue('users'));
$this->comment->expects($this->any())
->method('getActorId')
->will($this->returnValue('alice'));
$this->commentsManager->expects($this->never())
->method('save');
@ -113,6 +198,90 @@ class CommentsNode extends \Test\TestCase {
$this->assertFalse($this->node->updateComment($msg));
}
/**
* @expectedException \Sabre\DAV\Exception\Forbidden
*/
public function testUpdateForbiddenByUser() {
$msg = 'HaXX0r';
$user = $this->getMock('\OCP\IUser');
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('mallory'));
$this->userSession->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$this->comment->expects($this->never())
->method('setMessage');
$this->comment->expects($this->any())
->method('getActorType')
->will($this->returnValue('users'));
$this->comment->expects($this->any())
->method('getActorId')
->will($this->returnValue('alice'));
$this->commentsManager->expects($this->never())
->method('save');
$this->node->updateComment($msg);
}
/**
* @expectedException \Sabre\DAV\Exception\Forbidden
*/
public function testUpdateForbiddenByType() {
$msg = 'HaXX0r';
$user = $this->getMock('\OCP\IUser');
$user->expects($this->never())
->method('getUID');
$this->userSession->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$this->comment->expects($this->never())
->method('setMessage');
$this->comment->expects($this->any())
->method('getActorType')
->will($this->returnValue('bots'));
$this->commentsManager->expects($this->never())
->method('save');
$this->node->updateComment($msg);
}
/**
* @expectedException \Sabre\DAV\Exception\Forbidden
*/
public function testUpdateForbiddenByNotLoggedIn() {
$msg = 'HaXX0r';
$this->userSession->expects($this->once())
->method('getUser')
->will($this->returnValue(null));
$this->comment->expects($this->never())
->method('setMessage');
$this->comment->expects($this->any())
->method('getActorType')
->will($this->returnValue('users'));
$this->commentsManager->expects($this->never())
->method('save');
$this->node->updateComment($msg);
}
public function testPropPatch() {
$propPatch = $this->getMockBuilder('Sabre\DAV\PropPatch')
->disableOriginalConstructor()