Skip to content

Commit

Permalink
403 Forbidden returned if the permission error occurred on listing re…
Browse files Browse the repository at this point in the history
…quested folder

Related: aio-libs#921
  • Loading branch information
Alexander Koshevoy authored and Alexander Koshevoy committed Aug 18, 2016
1 parent ed66eeb commit e378062
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 1 deletion.
5 changes: 4 additions & 1 deletion aiohttp/web_urldispatcher.py
Original file line number Diff line number Diff line change
Expand Up @@ -495,7 +495,10 @@ def handle(self, request):
# on opening a dir, load it's contents if allowed
if filepath.is_dir():
if self._show_index:
ret = Response(text=self._directory_as_html(filepath))
try:
ret = Response(text=self._directory_as_html(filepath))
except PermissionError:
raise HTTPForbidden()
else:
raise HTTPForbidden()
elif filepath.is_file():
Expand Down
32 changes: 32 additions & 0 deletions tests/test_web_urldispatcher.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
from aiohttp.web import HTTPCreated, Response
from aiohttp.web_urldispatcher import PlainRoute, SystemRoute, UrlDispatcher

from unittest import mock
from unittest.mock import MagicMock


@pytest.fixture(scope='function')
def tmp_dir_path(request):
Expand Down Expand Up @@ -91,6 +94,35 @@ def test_access_non_existing_resource(tmp_dir_path, create_app_and_client):
yield from r.release()


@pytest.mark.run_loop
def test_unauthorized_folder_access(tmp_dir_path, create_app_and_client):
"""
Tests the unauthorized access to a folder of static file server.
Try to list a folder content of static file server when server does not
have permissions to do so for the folder.
"""
my_dir_path = os.path.join(tmp_dir_path, 'my_dir')
os.mkdir(my_dir_path)

app, client = yield from create_app_and_client()

with mock.patch('pathlib.Path.__new__') as path_constructor:
path = MagicMock()
path.joinpath.return_value = path
path.resolve.return_value = path
path.iterdir.return_value.__iter__.side_effect = PermissionError()
path_constructor.return_value = path

# Register global static route:
app.router.add_static('/', tmp_dir_path, show_index=True)

# Request the root of the static directory.
r = yield from client.get('/my_dir')
assert r.status == 403

yield from r.release()


@pytest.mark.run_loop
def test_partialy_applied_handler(create_app_and_client):
app, client = yield from create_app_and_client()
Expand Down

0 comments on commit e378062

Please sign in to comment.