blob: 0d2cefa8b809638becf60530a711273c2be82db5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
Feature: sharing
Background:
Given using api version "1"
Scenario: moving a file old way
Given using dav path "remote.php/webdav"
And As an "admin"
And user "user0" exists
When User "user0" moves file "/textfile0.txt" to "/FOLDER/textfile0.txt"
Then the HTTP status code should be "201"
Scenario: download a file with range
Given using dav path "remote.php/webdav"
And As an "admin"
When Downloading file "/welcome.txt" with range "bytes=51-77"
Then Downloaded content should be "example file for developers"
Scenario: Upload forbidden if quota is 0
Given using dav path "remote.php/webdav"
And As an "admin"
And user "user0" exists
And user "user0" has a quota of "0"
When User "user0" uploads file "data/textfile.txt" to "/asdf.txt"
Then the HTTP status code should be "507"
Scenario: download a public shared file with range
Given user "user0" exists
And As an "user0"
When creating a share with
| path | welcome.txt |
| shareType | 3 |
And Downloading last public shared file with range "bytes=51-77"
Then Downloaded content should be "example file for developers"
Scenario: Downloading a file on the old endpoint should serve security headers
Given using dav path "remote.php/webdav"
And As an "admin"
When Downloading file "/welcome.txt"
Then The following headers should be set
|Content-Disposition|attachment|
|Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *|
|X-Content-Type-Options |nosniff|
|X-Download-Options|noopen|
|X-Frame-Options|Sameorigin|
|X-Permitted-Cross-Domain-Policies|none|
|X-Robots-Tag|none|
|X-XSS-Protection|1; mode=block|
And Downloaded content should start with "Welcome to your ownCloud account!"
Scenario: Downloading a file on the new endpoint should serve security headers
Given using dav path "remote.php/dav/files/admin/"
And As an "admin"
When Downloading file "/welcome.txt"
Then The following headers should be set
|Content-Disposition|attachment|
|Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *|
|X-Content-Type-Options |nosniff|
|X-Download-Options|noopen|
|X-Frame-Options|Sameorigin|
|X-Permitted-Cross-Domain-Policies|none|
|X-Robots-Tag|none|
|X-XSS-Protection|1; mode=block|
And Downloaded content should start with "Welcome to your ownCloud account!"
Scenario: Doing a GET with a web login should work without CSRF token on the nwe backend
Given Logging in using web as "admin"
When Sending a "GET" to "/remote.php/dav/files/admin/welcome.txt" without requesttoken
Then Downloaded content should start with "Welcome to your ownCloud account!"
Then the HTTP status code should be "200"
Scenario: Doing a GET with a web login should work with CSRF token on the new backend
Given Logging in using web as "admin"
When Sending a "GET" to "/remote.php/dav/files/admin/welcome.txt" with requesttoken
Then Downloaded content should start with "Welcome to your ownCloud account!"
Then the HTTP status code should be "200"
Scenario: Doing a PROPFIND with a web login should not work without CSRF token on the new backend
Given Logging in using web as "admin"
When Sending a "PROPFIND" to "/remote.php/dav/files/admin/welcome.txt" without requesttoken
Then the HTTP status code should be "401"
Scenario: Doing a PROPFIND with a web login should work with CSRF token on the new backend
Given Logging in using web as "admin"
When Sending a "PROPFIND" to "/remote.php/dav/files/admin/welcome.txt" with requesttoken
Then the HTTP status code should be "207"
Scenario: Doing a GET with a web login should work without CSRF token on the old backend
Given Logging in using web as "admin"
When Sending a "GET" to "/remote.php/webdav/welcome.txt" without requesttoken
Then Downloaded content should start with "Welcome to your ownCloud account!"
Then the HTTP status code should be "200"
Scenario: Doing a GET with a web login should work with CSRF token on the old backend
Given Logging in using web as "admin"
When Sending a "GET" to "/remote.php/webdav/welcome.txt" with requesttoken
Then Downloaded content should start with "Welcome to your ownCloud account!"
Then the HTTP status code should be "200"
Scenario: Doing a PROPFIND with a web login should not work without CSRF token on the old backend
Given Logging in using web as "admin"
When Sending a "PROPFIND" to "/remote.php/webdav/welcome.txt" without requesttoken
Then the HTTP status code should be "401"
Scenario: Doing a PROPFIND with a web login should work with CSRF token on the old backend
Given Logging in using web as "admin"
When Sending a "PROPFIND" to "/remote.php/webdav/welcome.txt" with requesttoken
Then the HTTP status code should be "207"
|
