implement 'should not allow retrieval of a password protected file without the password'
authorLunar <lunar@anargeek.net>
Sun, 1 Aug 2010 22:39:56 +0000 (00:39 +0200)
committerLunar <lunar@anargeek.net>
Sun, 1 Aug 2010 22:39:56 +0000 (00:39 +0200)
coquelicot.rb
test_coquelicot.rb

index dd84509..325c515 100644 (file)
@@ -325,7 +325,8 @@ end
 
 post '/:link' do |link|
   pass = params[:file_key]
-  403 unless send_stored_file(link, pass)
+  return 403 if pass.nil? or pass.empty?
+  return 403 unless send_stored_file(link, pass)
 end
 
 helpers do
index 815917d..f7f15c1 100644 (file)
@@ -132,7 +132,22 @@ describe 'Coquelicot' do
     last_response.body.should eql(File.new(__FILE__).read)
   end
 
-  it "should not allow retrieval of a password protected file without the password"
+  it "should not allow retrieval of a password protected file without the password" do
+    post '/upload', 'file' => Rack::Test::UploadedFile.new(__FILE__, 'text/x-script.ruby'),
+                    'file_key' => 'somethingSecret',
+                    'upload_password' => UPLOAD_PASSWORD
+    last_response.redirect?.should be_true
+    follow_redirect!
+    last_response.should be_ok
+    doc = Hpricot(last_response.body)
+    url = (doc/'a').collect { |a| a.attributes['href'] }.
+      select { |h| h.start_with? "http://#{last_request.host}/" }[0]
+    get url
+    last_response.should be_ok
+    last_response['Content-Type'].should_not eql('text/x-script.ruby')
+    post url
+    last_response.status.should eql(403)
+  end
 
   it "should not allow retrieval of a password protected file with a wrong password"