Merge pull request #1419 from solid/postAclFix

Merge approved in a private repo
nodeSolidServer · Apr 12, 2020 · 818a0cd · 818a0cd
2 parents 23a92eb + 16c18ea
commit 818a0cd
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/lib/acl-checker.js b/lib/acl-checker.js
@@ -26,6 +26,7 @@ class ACLChecker {
     this.aclCached = {}
     this.messagesCached = {}
     this.requests = {}
+    this.slug = options.slug
   }
 
   // Returns a fulfilled promise when the user can access the resource
@@ -53,6 +54,11 @@ class ACLChecker {
       mode = 'Control'
       resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))
     }
+    // If the slug is an acl, reject
+    if (this.isAcl(this.slug)) {
+      this.aclCached[cacheKey] = Promise.resolve(false)
+      return this.aclCached[cacheKey]
+    }
     const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.acl)) : null
     const aclFile = rdf.sym(acl.acl)
     const agent = user ? rdf.sym(user) : null
@@ -167,7 +173,8 @@ class ACLChecker {
       },
       suffix: ldp.suffixAcl,
       strictOrigin: ldp.strictOrigin,
-      trustedOrigins
+      trustedOrigins,
+      slug: decodeURIComponent(req.headers['slug'])
     })
   }
 }

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.2.3",
+  "version": "5.2.4",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "[email protected]"

diff --git a/test/integration/acl-oidc-test.js b/test/integration/acl-oidc-test.js
@@ -545,6 +545,16 @@ describe('ACL with WebID+OIDC over HTTP', function () {
         done()
       })
     })
+    it('user2 should not be able able to post an acl file', function (done) {
+      var options = createOptions('/append-acl/abc.ttl.acl', 'user2', 'text/turtle')
+      options.body = '<a> <b> <c> .\n'
+      request.put(options, function (error, response, body) {
+        assert.equal(error, null)
+        assert.equal(response.statusCode, 403)
+        assert.equal(response.statusMessage, 'User Unauthorized')
+        done()
+      })
+    })
     it('user2 should not be able to access test file', function (done) {
       var options = createOptions('/append-acl/abc.ttl', 'user2', 'text/turtle')
       request.head(options, function (error, response, body) {