From b84df096db7f5c18d72e429a6aab1e45905a31b8 Mon Sep 17 00:00:00 2001 From: Swikriti Tripathi Date: Wed, 15 Dec 2021 10:48:06 +0545 Subject: [PATCH] Add bug demonstration test for sending PUT request to other user's webdav endpoint --- .../apiAuthWebDav/webDavPUTAuth.feature | 6 +++-- .../webDavPUTAuthOC10Issue39597.feature | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 tests/acceptance/features/apiAuthWebDav/webDavPUTAuthOC10Issue39597.feature diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature index 0a9f18a88f6a..eafe63f5c345 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature @@ -36,7 +36,7 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" - @issue-ocis-reva-9 @issue-ocis-reva-197 @skipOnOcV10.3 @skipOnOcV10.4 @skipOnOcV10.5 + @skipOnOcV10 Scenario: send PUT requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" | endpoint | @@ -46,7 +46,8 @@ Feature: get file info using PUT When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" | endpoint | | /remote.php/dav/files/%username%/PARENT/parent.txt | - Then the HTTP status code of responses on all endpoints should be "409" + Then the HTTP status code of responses on all endpoints should be "403" + Scenario: send PUT requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice" @@ -58,6 +59,7 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send PUT requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice" | endpoint | diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuthOC10Issue39597.feature b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuthOC10Issue39597.feature new file mode 100644 index 000000000000..1171c6034856 --- /dev/null +++ b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuthOC10Issue39597.feature @@ -0,0 +1,23 @@ +@api @issue-39597 @skipOnOcV10.3 @skipOnOcV10.4 @skipOnOcV10.5 @skipOnOcis +Feature: get file info using PUT + + Background: + Given these users have been created with default attributes and without skeleton files: + | username | + | Alice | + | Brian | + And user "Alice" has uploaded file with content "some data" to "/textfile1.txt" + And user "Alice" has created folder "/PARENT" + And user "Alice" has uploaded file with content "some data" to "/PARENT/parent.txt" + + + Scenario: send PUT requests to another user's webDav endpoints as normal user + When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/files/%username%/textfile1.txt | + | /remote.php/dav/files/%username%/PARENT | + Then the HTTP status code of responses on all endpoints should be "403" + When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/files/%username%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "409"