Skip to content

Commit

Permalink
Enforce library permissions for full-text item versions
Browse files Browse the repository at this point in the history
  • Loading branch information
@dstillman
dstillman committed Apr 30, 2016
1 parent 43fa3b9 commit 363da1d
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
5 changes: 5 additions & 0 deletions controllers/FullTextController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ public function __construct($controllerName, $action, $params) {
public function fulltext() {
$this->allowMethods(array('GET'));

// Check for general library access
if (!$this->permissions->canAccess($this->objectLibraryID)) {
$this->e403();
}

// Default empty library
if ($this->objectLibraryID === 0) {
$this->libraryVersion = 0;
Expand Down
19 changes: 19 additions & 0 deletions tests/remote/tests/API/3/FullTextTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,25 @@ public static function tearDownAfterClass() {
}


public function testVersionsAnonymous() {
API::useAPIKey(false);
$response = API::userGet(
self::$config['userID'],
"fulltext"
);
$this->assert403($response);
}


public function testContentAnonymous() {
API::useAPIKey(false);
$response = API::userGet(
self::$config['userID'],
"items/AAAAAAAA/fulltext"
);
$this->assert403($response);
}

public function testSetItemContent() {
$key = API::createItem("book", false, $this, 'key');
$attachmentKey = API::createAttachmentItem("imported_url", [], $key, $this, 'key');
Expand Down

0 comments on commit 363da1d

Please sign in to comment.