github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-09-16 02:52:31 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #2312 from overleaf/sk-fix-join-project-null

Browse source 
When we can't join project, produce a 403 response

GitOrigin-RevId: 7a52dd019ed33474e18cdb378fd3d4622f378e56
This commit is contained in:
Shane Kilkelly 2019-11-07 10:28:34 +00:00 committed by sharelatex
parent cbf08c599b
commit add98c889c
4 changed files with 44 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
services/web/app/src/Features/Editor/EditorHttpController.js
View file

@ -32,6 +32,9 @@ module.exports = EditorHttpController = {
if (error) { if (error) {
return next(error) return next(error)
} }
if (!project) {
return res.sendStatus(403)
}
// Hide access tokens if this is not the project owner // Hide access tokens if this is not the project owner
TokenAccessHandler.protectTokens(project, privilegeLevel) TokenAccessHandler.protectTokens(project, privilegeLevel)
if (isRestrictedUser) { if (isRestrictedUser) {

7
services/web/test/acceptance/src/AuthorizationTests.js
View file

@ -204,7 +204,10 @@ function expectNoReadAccess(user, projectId, options, callback) {
tryContentAccess( tryContentAccess(
user, user,
projectId, projectId,
(response, body) => expect(body.privilegeLevel).to.be.equal(false), (response, body) => {
expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
},
cb cb
) )
], ],
@ -217,7 +220,7 @@ function expectNoContentWriteAccess(user, projectId, callback) {
user, user,
projectId, projectId,
(response, body) => (response, body) =>
expect(body.privilegeLevel).to.be.oneOf([false, 'readOnly']), expect(body.privilegeLevel).to.be.oneOf([undefined, null, 'readOnly']),
callback callback
) )
} }

24
services/web/test/acceptance/src/TokenAccessTests.js
View file

@ -168,7 +168,8 @@ describe('TokenAccess', function() {
this.other1, this.other1,
this.projectId, this.projectId,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )
@ -286,7 +287,8 @@ describe('TokenAccess', function() {
this.other1, this.other1,
this.projectId, this.projectId,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )
@ -401,7 +403,8 @@ describe('TokenAccess', function() {
this.projectId, this.projectId,
this.tokens.readOnly, this.tokens.readOnly,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )
@ -518,7 +521,8 @@ describe('TokenAccess', function() {
this.other1, this.other1,
this.projectId, this.projectId,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )
@ -585,7 +589,8 @@ describe('TokenAccess', function() {
this.projectId, this.projectId,
this.tokens.readAndWrite, this.tokens.readAndWrite,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )
@ -690,7 +695,8 @@ describe('TokenAccess', function() {
this.projectId, this.projectId,
this.tokens.readAndWrite, this.tokens.readAndWrite,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )
@ -771,7 +777,8 @@ describe('TokenAccess', function() {
this.other2, this.other2,
this.projectId, this.projectId,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )
@ -865,7 +872,8 @@ describe('TokenAccess', function() {
this.other2, this.other2,
this.projectId, this.projectId,
(response, body) => { (response, body) => {
expect(body.privilegeLevel).to.equal(false) expect(response.statusCode).to.equal(403)
expect(body).to.equal('Forbidden')
}, },
cb cb
) )

20
services/web/test/unit/src/Editor/EditorHttpControllerTests.js
View file

@ -141,6 +141,26 @@ describe('EditorHttpController', function() {
}) })
}) })
describe('when no project', function() {
beforeEach(function() {
this.EditorHttpController._buildJoinProjectView = sinon
.stub()
.callsArgWith(3, null, null, null, false)
this.EditorHttpController.joinProject(this.req, this.res)
})
it('should send a 403 response', function() {
this.res.json
.calledWith({
project: null,
privilegeLevel: null,
isRestrictedUser: null
})
.should.equal(false)
this.res.sendStatus.calledWith(403).should.equal(true)
})
})
describe('with an anonymous user', function() { describe('with an anonymous user', function() {
beforeEach(function() { beforeEach(function() {
this.req.query = { user_id: 'anonymous-user' } this.req.query = { user_id: 'anonymous-user' }