diff --git a/tests/acceptance/features/apiShareManagementBasic/createShare.feature b/tests/acceptance/features/apiShareManagementBasic/createShare.feature index 028e8eed4e97..ea119cd5c2ee 100644 --- a/tests/acceptance/features/apiShareManagementBasic/createShare.feature +++ b/tests/acceptance/features/apiShareManagementBasic/createShare.feature @@ -576,6 +576,125 @@ Feature: sharing | 1 | 404 | 200 | PARENT | 32 | | 2 | 404 | 404 | PARENT | 32 | + @issue-35922 + Scenario Outline: Cannot create a share of a file with a user with only create permission + Given using OCS API version "" + And user "user1" has been created with default attributes and without skeleton files + When user "user0" creates a share using the sharing API with settings + | path | textfile0.txt | + | shareWith | user1 | + | shareType | user | + | permissions | create | + Then the OCS status code should be "" + And the HTTP status code should be "" + # delete the following step when the issue is fixed. The share should not be created at all. + And the fields of the last response should include + | share_with | user1 | + | share_type | user | + | file_target | /textfile0.txt | + | path | /textfile0.txt | + | permissions | 0 | + And as "user1" entry "textfile0.txt" should not exist + Examples: + | ocs_api_version | ocs_status_code | http_status_code | + | 1 | 100 | 200 | + | 2 | 200 | 200 | + #| 1 | 400 | 200 | + #| 2 | 400 | 400 | + + @issue-35922 + Scenario Outline: Cannot create a share of a file with a user with only (create,)delete permission + Given using OCS API version "" + And user "user1" has been created with default attributes and without skeleton files + When user "user0" creates a share using the sharing API with settings + | path | textfile0.txt | + | shareWith | user1 | + | shareType | user | + | permissions | | + Then the OCS status code should be "" + And the HTTP status code should be "" + # delete the following step when the issue is fixed. The share should not be created at all. + And the fields of the last response should include + | share_with | user1 | + | share_type | user | + | file_target | /textfile0.txt | + | path | /textfile0.txt | + | permissions | 1 | + # because the share got created wrongly with read permission, the file exists for the sharee + And as "user1" entry "textfile0.txt" should exist + #And as "user1" entry "textfile0.txt" should not exist + Examples: + | ocs_api_version | ocs_status_code | http_status_code | permissions | + | 1 | 100 | 200 | delete | + | 2 | 200 | 200 | delete | + | 1 | 100 | 200 | create,delete | + | 2 | 200 | 200 | create,delete | + #| 1 | 404 | 200 | delete | + #| 2 | 404 | 404 | delete | + #| 1 | 404 | 200 | create,delete | + #| 2 | 404 | 404 | create,delete | + @issue-35922 + Scenario Outline: Cannot create a share of a file with a group with only create permission + Given using OCS API version "" + And user "user1" has been created with default attributes and without skeleton files + And group "grp1" has been created + And user "user1" has been added to group "grp1" + When user "user0" creates a share using the sharing API with settings + | path | textfile0.txt | + | shareWith | grp1 | + | shareType | group | + | permissions | create | + Then the OCS status code should be "" + And the HTTP status code should be "" + # delete the following step when the issue is fixed. The share should not be created at all. + And the fields of the last response should include + | share_with | grp1 | + | share_type | group | + | file_target | /textfile0.txt | + | path | /textfile0.txt | + | permissions | 0 | + And as "user1" entry "textfile0.txt" should not exist + Examples: + | ocs_api_version | ocs_status_code | http_status_code | + | 1 | 100 | 200 | + | 2 | 200 | 200 | + #| 1 | 400 | 200 | + #| 2 | 400 | 400 | + + @issue-35922 + Scenario Outline: Cannot create a share of a file with a group with only (create,)delete permission + Given using OCS API version "" + And user "user1" has been created with default attributes and without skeleton files + And group "grp1" has been created + And user "user1" has been added to group "grp1" + When user "user0" creates a share using the sharing API with settings + | path | textfile0.txt | + | shareWith | grp1 | + | shareType | group | + | permissions | | + Then the OCS status code should be "" + And the HTTP status code should be "" + # delete the following step when the issue is fixed. The share should not be created at all. + And the fields of the last response should include + | share_with | grp1 | + | share_type | group | + | file_target | /textfile0.txt | + | path | /textfile0.txt | + | permissions | 1 | + # because the share got created wrongly with read permission, the file exists for the sharee + And as "user1" entry "textfile0.txt" should exist + #And as "user1" entry "textfile0.txt" should not exist + Examples: + | ocs_api_version | ocs_status_code | http_status_code | permissions | + | 1 | 100 | 200 | delete | + | 2 | 200 | 200 | delete | + | 1 | 100 | 200 | create,delete | + | 2 | 200 | 200 | create,delete | + #| 1 | 404 | 200 | delete | + #| 2 | 404 | 404 | delete | + #| 1 | 404 | 200 | create,delete | + #| 2 | 404 | 404 | create,delete | + Scenario Outline: user who is excluded from sharing tries to share a file with another user Given using OCS API version "" And user "user1" has been created with default attributes and skeleton files diff --git a/tests/acceptance/features/apiShareUpdate/updateShare.feature b/tests/acceptance/features/apiShareUpdate/updateShare.feature index 28c82dfba914..581e0fdb96dd 100644 --- a/tests/acceptance/features/apiShareUpdate/updateShare.feature +++ b/tests/acceptance/features/apiShareUpdate/updateShare.feature @@ -309,6 +309,46 @@ Feature: sharing | 1 | 200 | | 2 | 400 | + Scenario Outline: Cannot update a share of a file with a user to have only create and/or delete permission + Given using OCS API version "" + And user "user1" has been created with default attributes and without skeleton files + And user "user0" has shared file "textfile0.txt" with user "user1" + When user "user0" updates the last share using the sharing API with + | permissions | | + Then the OCS status code should be "400" + And the HTTP status code should be "" + # user1 should still have at least read access to the shared file + And as "user1" entry "textfile0.txt" should exist + Examples: + | ocs_api_version | http_status_code | permissions | + | 1 | 200 | create | + | 2 | 400 | create | + | 1 | 200 | delete | + | 2 | 400 | delete | + | 1 | 200 | create,delete | + | 2 | 400 | create,delete | + + Scenario Outline: Cannot update a share of a file with a group to have only create and/or delete permission + Given using OCS API version "" + And user "user1" has been created with default attributes and without skeleton files + And group "grp1" has been created + And user "user1" has been added to group "grp1" + And user "user0" has shared file "textfile0.txt" with group "grp1" + When user "user0" updates the last share using the sharing API with + | permissions | | + Then the OCS status code should be "400" + And the HTTP status code should be "" + # user1 in grp1 should still have at least read access to the shared file + And as "user1" entry "textfile0.txt" should exist + Examples: + | ocs_api_version | http_status_code | permissions | + | 1 | 200 | create | + | 2 | 400 | create | + | 1 | 200 | delete | + | 2 | 400 | delete | + | 1 | 200 | create,delete | + | 2 | 400 | create,delete | + Scenario: Share ownership change after moving a shared file outside of an outer share Given these users have been created with default attributes and without skeleton files: | username |