From 958283d8738338a7e8ecb40897d3c5cdcb887946 Mon Sep 17 00:00:00 2001 From: Benjamin Kampmann Date: Fri, 24 Nov 2023 15:57:30 +0000 Subject: [PATCH] Ensure only non-deleted tokens can be edited --- synapse_super_invites/resource/base.py | 4 +- tests/test_integrations.py | 71 ++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 2 deletions(-) diff --git a/synapse_super_invites/resource/base.py b/synapse_super_invites/resource/base.py index b52a386..7018f7d 100644 --- a/synapse_super_invites/resource/base.py +++ b/synapse_super_invites/resource/base.py @@ -17,8 +17,8 @@ def can_edit_token(token: Token, requester: Requester) -> bool: - # kept outside so we can make it more sophisticated later - return token.owner == str(requester.user) + # Only the owner can edit tokens. And only tokens that haven't been deleted yet + return token.owner == str(requester.user) and token.deleted_at is None def serialize_token(token: Token) -> JsonDict: diff --git a/tests/test_integrations.py b/tests/test_integrations.py index 1189be6..ba60001 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -513,6 +513,77 @@ def test_deletion(self) -> None: ) self.assertEqual(channel.code, 404, msg=channel.result) + @override_config(DEFAULT_CONFIG) # type: ignore[misc] + def test_deletion_cant_create_again(self) -> None: + _m_id = self.register_user("meeko", "password") + m_access_token = self.login("meeko", "password") + + # this is our new backend. + channel = self.make_request( + "GET", "/_synapse/client/super_invites/tokens", access_token=m_access_token + ) + self.assertEqual(channel.code, 200, msg=channel.result) + self.assertEqual(channel.json_body["tokens"], []) + + # create a new one for testing. + channel = self.make_request( + "POST", + "/_synapse/client/super_invites/tokens", + access_token=m_access_token, + content={"rooms": [], "create_dm": True}, + ) + self.assertEqual(channel.code, 200, msg=channel.result) + token_data = channel.json_body["token"] + self.assertEquals(token_data["accepted_count"], 0) + self.assertTrue(token_data["create_dm"]) + token = token_data["token"] + + channel = self.make_request( + "GET", "/_synapse/client/super_invites/tokens", access_token=m_access_token + ) + self.assertEqual(channel.code, 200, msg=channel.result) + self.assertEqual(len(channel.json_body["tokens"]), 1) + + # we can access it + channel = self.make_request( + "GET", + "/_synapse/client/super_invites/tokens?token={token}".format(token=token), + access_token=m_access_token, + ) + self.assertEqual(channel.code, 200, msg=channel.result) + + # delete it + channel = self.make_request( + "DELETE", + "/_synapse/client/super_invites/tokens?token={token}".format(token=token), + access_token=m_access_token, + ) + self.assertEqual(channel.code, 200, msg=channel.result) + + # we can't access it + channel = self.make_request( + "GET", + "/_synapse/client/super_invites/tokens?token={token}".format(token=token), + access_token=m_access_token, + ) + self.assertEqual(channel.code, 404, msg=channel.result) + + # and it doesn't show up in the user listing + channel = self.make_request( + "GET", "/_synapse/client/super_invites/tokens", access_token=m_access_token + ) + self.assertEqual(channel.code, 200, msg=channel.result) + self.assertEqual(channel.json_body["tokens"], []) + + # and creating it again fails + channel = self.make_request( + "POST", + "/_synapse/client/super_invites/tokens", + access_token=m_access_token, + content={"rooms": [], "create_dm": True, "token": token}, + ) + self.assertEqual(channel.code, 403, msg=channel.result) + @override_config(DEFAULT_CONFIG) # type: ignore[misc] def test_cant_redeem_my_own(self) -> None: _m_id = self.register_user("meeko", "password")