github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2025-02-23 11:00:58 +00:00
Code Issues Projects Releases Packages Wiki Activity

When anon is denied access to read-write token, redirect to restricted

Browse source
This commit is contained in:
Shane Kilkelly 2017-11-06 16:46:42 +00:00
parent 5d0dd6ffc9
commit 2b4d516353
3 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/web/app/coffee/Features/TokenAccess/TokenAccessController.coffee
View file

@ -52,7 +52,7 @@ module.exports = TokenAccessController =
else else
logger.log {token, projectId: project._id}, logger.log {token, projectId: project._id},
"[TokenAccess] deny anonymous read-and-write token access" "[TokenAccess] deny anonymous read-and-write token access"
return next(new Errors.NotFoundError()) return res.redirect('/restricted')
if project.owner_ref.toString() == userId if project.owner_ref.toString() == userId
logger.log {userId, projectId: project._id}, logger.log {userId, projectId: project._id},
"[TokenAccess] user is already project owner" "[TokenAccess] user is already project owner"

7
services/web/test/UnitTests/coffee/TokenAccess/TokenAccessControllerTests.coffee
View file

@ -150,6 +150,7 @@ describe "TokenAccessController", ->
@TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED = false @TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED = false
@req = new MockRequest() @req = new MockRequest()
@res = new MockResponse() @res = new MockResponse()
@res.redirect = sinon.stub()
@next = sinon.stub() @next = sinon.stub()
@req.params['read_and_write_token'] = @readAndWriteToken @req.params['read_and_write_token'] = @readAndWriteToken
@TokenAccessHandler.findProjectWithReadAndWriteToken = sinon.stub() @TokenAccessHandler.findProjectWithReadAndWriteToken = sinon.stub()
@ -175,9 +176,9 @@ describe "TokenAccessController", ->
expect(@ProjectController.loadEditor.calledWith(@req, @res, @next)).to.equal false expect(@ProjectController.loadEditor.calledWith(@req, @res, @next)).to.equal false
done() done()
it 'should call next with an error', (done) -> it 'should redirect to restricted page', (done) ->
expect(@next.callCount).to.equal 1 expect(@res.redirect.callCount).to.equal 1
expect(@next.lastCall.args[0]).to.be.instanceof Error expect(@res.redirect.calledWith('/restricted')).to.equal true
done() done()
describe 'when findProject produces an error', -> describe 'when findProject produces an error', ->

3
services/web/test/acceptance/coffee/TokenAccessTests.coffee
View file

@ -283,7 +283,8 @@ describe 'TokenAccess', ->
it 'should not allow the user to access read-and-write token', (done) -> it 'should not allow the user to access read-and-write token', (done) ->
try_read_and_write_token_access(@anon, @tokens.readAndWrite, (response, body) => try_read_and_write_token_access(@anon, @tokens.readAndWrite, (response, body) =>
expect(response.statusCode).to.equal 404 expect(response.statusCode).to.equal 302
expect(body).to.match /.*\/restricted.*/
, done) , done)
it 'should not allow the user to join the project', (done) -> it 'should not allow the user to join the project', (done) ->