Merge pull request #1419 from solid/postAclFix

jaxoncreed · web-flow · commit 818a0cdd1f44 · 2020-04-12T17:29:41.000-04:00
Merge approved in a private repo
diff --git a/lib/acl-checker.js b/lib/acl-checker.js
@@ -26,6 +26,7 @@ class ACLChecker {
     this.aclCached = {}
     this.messagesCached = {}
     this.requests = {}
+    this.slug = options.slug
   }
 
   // Returns a fulfilled promise when the user can access the resource
@@ -53,6 +54,11 @@ class ACLChecker {
       mode = 'Control'
       resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))
     }
+    // If the slug is an acl, reject
+    if (this.isAcl(this.slug)) {
+      this.aclCached[cacheKey] = Promise.resolve(false)
+      return this.aclCached[cacheKey]
+    }
     const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.acl)) : null
     const aclFile = rdf.sym(acl.acl)
     const agent = user ? rdf.sym(user) : null
@@ -167,7 +173,8 @@ class ACLChecker {
       },
       suffix: ldp.suffixAcl,
       strictOrigin: ldp.strictOrigin,
-      trustedOrigins
+      trustedOrigins,
+      slug: decodeURIComponent(req.headers['slug'])
     })
   }
 }
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.2.3",
+  "version": "5.2.4",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "timbl@w3.org"
diff --git a/test/integration/acl-oidc-test.js b/test/integration/acl-oidc-test.js
@@ -545,6 +545,16 @@ describe('ACL with WebID+OIDC over HTTP', function () {
         done()
       })
     })
+    it('user2 should not be able able to post an acl file', function (done) {
+      var options = createOptions('/append-acl/abc.ttl.acl', 'user2', 'text/turtle')
+      options.body = '<a> <b> <c> .\n'
+      request.put(options, function (error, response, body) {
+        assert.equal(error, null)
+        assert.equal(response.statusCode, 403)
+        assert.equal(response.statusMessage, 'User Unauthorized')
+        done()
+      })
+    })
     it('user2 should not be able to access test file', function (done) {
       var options = createOptions('/append-acl/abc.ttl', 'user2', 'text/turtle')
       request.head(options, function (error, response, body) {

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "solid-server",`
`3`	`3`	`"description": "Solid server on top of the file-system",`
`4`		`- "version": "5.2.3",`
	`4`	`+ "version": "5.2.4",`
`5`	`5`	`"author": {`
`6`	`6`	`"name": "Tim Berners-Lee",`
`7`	`7`	`"email": "[email protected]"`