From acb50aeb371f6a48247310e7b5e232809fc75fbe Mon Sep 17 00:00:00 2001 From: Lion Krischer Date: Mon, 20 Nov 2017 15:35:37 +0100 Subject: [PATCH 1/2] Make sure attachments can only be accessed for the correct type. --- src/jane/documents/views.py | 6 ++++-- src/jane/quakeml/tests/test_quakeml.py | 5 +++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/jane/documents/views.py b/src/jane/documents/views.py index c1f6d32..f72079a 100644 --- a/src/jane/documents/views.py +++ b/src/jane/documents/views.py @@ -92,8 +92,10 @@ class DocumentIndexAttachmentsView(mixins.RetrieveModelMixin, serializer_class = serializer.DocumentIndexAttachmentSerializer def get_queryset(self): - index = get_object_or_404(models.DocumentIndex, - pk=self.kwargs['idx']) + index = get_object_or_404( + models.DocumentIndex, + pk=self.kwargs['idx'], + document__document_type__name=self.kwargs['document_type']) return models.DocumentIndexAttachment.objects.filter(index=index) def destroy(self, request, document_type, idx, pk): diff --git a/src/jane/quakeml/tests/test_quakeml.py b/src/jane/quakeml/tests/test_quakeml.py index 915f934..1207374 100644 --- a/src/jane/quakeml/tests/test_quakeml.py +++ b/src/jane/quakeml/tests/test_quakeml.py @@ -623,6 +623,11 @@ def test_adding_modifying_deleting_attachments(self): # Make sure its served with the correct content type. self.assertEqual(r["Content-Type"], "text/plain") + # Make sure it cannot be retrieved by using the wrong category. + # See #66. + r = self.client.get(a_path.replace("quakeml", "stationxml")) + self.assertEqual(r.status_code, 404) + # Update it. r = self.client.put(a_path + "/%i" % a_id, data=data_2, content_type="text/random", From 3cf7d5dec476d627c3b82d2b96ff9e6bff9e5593 Mon Sep 17 00:00:00 2001 From: Lion Krischer Date: Mon, 20 Nov 2017 15:59:39 +0100 Subject: [PATCH 2/2] Make sure document type is consistent when creating attachments. --- src/jane/documents/models.py | 4 +++- src/jane/quakeml/tests/test_quakeml.py | 13 +++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/jane/documents/models.py b/src/jane/documents/models.py index 42c2fd7..be68e28 100644 --- a/src/jane/documents/models.py +++ b/src/jane/documents/models.py @@ -624,7 +624,9 @@ def add_or_modify_attachment(self, document_type, index_id, "No permission to %s attachments for documents of that type." % method) - index = get_object_or_404(DocumentIndex, pk=index_id) + index = get_object_or_404( + DocumentIndex, pk=index_id, + document__document_type__name=document_type) if method == "update": attachment = get_object_or_404(DocumentIndexAttachment, pk=pk, diff --git a/src/jane/quakeml/tests/test_quakeml.py b/src/jane/quakeml/tests/test_quakeml.py index 1207374..878cbf3 100644 --- a/src/jane/quakeml/tests/test_quakeml.py +++ b/src/jane/quakeml/tests/test_quakeml.py @@ -628,6 +628,19 @@ def test_adding_modifying_deleting_attachments(self): r = self.client.get(a_path.replace("quakeml", "stationxml")) self.assertEqual(r.status_code, 404) + # Make sure an attachment cannot be uploaded with the wrong document + # type. + # This requires permissions to also write stationxml files. + p_station = Permission.objects.filter( + codename="can_modify_stationxml_attachments").first() + self.user.user_permissions.add(p_station) + r = self.client.post(a_path.replace("quakeml", "stationxml"), + data=data_1, content_type="text/plain", + HTTP_CATEGORY="some_text_2", + **self.valid_auth_headers) + self.assertEqual(r.status_code, 404) + self.user.user_permissions.remove(p_station) + # Update it. r = self.client.put(a_path + "/%i" % a_id, data=data_2, content_type="text/random",