Skip to content

Commit

Permalink
Merge pull request from GHSA-hvp4-vrv2-8wrq
Browse files Browse the repository at this point in the history
* Reproduce issue in tests

* Fix context attribute when record exists

* Add comments

* Move assignment and comment below
  • Loading branch information
leplatrem authored Feb 8, 2024
1 parent 3e8f32c commit f4a3148
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 3 deletions.
13 changes: 12 additions & 1 deletion src/kinto_attachment/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,11 @@

class AttachmentRouteFactory(RouteFactory):
def __init__(self, request):
"""Attachment is not a Kinto resource.
"""
This class is the `context` object being passed to the
:class:`kinto.core.authorization.AuthorizationPolicy`.
Attachment is not a Kinto resource.
The required permission is:
* ``write`` if the related record exists;
Expand All @@ -43,12 +47,19 @@ def __init__(self, request):
existing = resource.get()
except httpexceptions.HTTPNotFound:
existing = None

if existing:
# Request write permission on the existing record.
self.permission_object_id = record_uri(request)
self.required_permission = "write"
else:
# Request create record permission on the parent collection.
self.permission_object_id = collection_uri(request)
self.required_permission = "create"
# Set the current object in context, since it is used in the
# authorization policy to distinguish operations on plural endpoints
# from individual objects. See Kinto/kinto#918
self.current_object = existing


def sha256(content):
Expand Down
40 changes: 38 additions & 2 deletions tests/test_views_attachment.py
Original file line number Diff line number Diff line change
Expand Up @@ -283,21 +283,57 @@ def test_upload_refused_if_not_authenticated(self):
self.headers.pop("Authorization")
self.upload(status=401)

def test_upload_replace_refused_if_not_authenticated(self):
self.upload(status=201)

self.headers.pop("Authorization")
self.upload(status=401)

def test_upload_refused_if_not_allowed(self):
self.headers.update(get_user_headers("jean-louis"))
self.upload(status=403)

def test_upload_replace_refused_if_only_create_allowed(self):
# Allow any authenticated to write in this bucket.
# Allow any authenticated to write in this collection.
perm = {"permissions": {"record:create": ["system.Authenticated"]}}
self.app.patch_json("/buckets/fennec/collections/fonts", perm, headers=self.headers)
self.upload(status=201)

self.headers.update(get_user_headers("jean-louis"))
self.upload(status=403)

def test_upload_replace_refused_if_only_bucket_read_is_allowed(self):
# Create a record with attachment.
self.upload(status=201)

# Now allow anyone to read this bucket.
perm = {"permissions": {"read": ["system.Everyone"]}}
self.app.patch_json("/buckets/fennec", perm, headers=self.headers)

# And try to replace anonymously.
self.headers.pop("Authorization")
self.upload(status=401)

def test_upload_replace_refused_if_only_read_is_allowed(self):
# Create a record with attachment.
self.upload(status=201)

# Now allow anyone to read this collection.
perm_change = [
{"op": "add", "path": "/permissions", "value": {"read": ["system.Everyone"]}}
]
self.app.patch_json(
"/buckets/fennec/collections/fonts",
perm_change,
headers={**self.headers, "Content-Type": "application/json-patch+json"},
)

# And try to replace anonymously.
self.headers.pop("Authorization")
self.upload(status=401)

def test_upload_create_accepted_if_create_allowed(self):
# Allow any authenticated to write in this bucket.
# Allow any authenticated to write in this collection.
perm = {"permissions": {"record:create": ["system.Authenticated"]}}
self.app.patch_json("/buckets/fennec/collections/fonts", perm, headers=self.headers)

Expand Down

0 comments on commit f4a3148

Please sign in to comment.