@@ -781,6 +781,52 @@ def perform_remove():
781781 # Clean up after ourselves
782782 perform_remove ()
783783
784+ def test_staging_ingestion_fails_to_modify_another_staging_user (self ):
785+ """The server should only allow modification of the staging_ingestion_user's files
786+ """
787+
788+ some_other_user = "[email protected] " 789+
790+ fh , temp_path = tempfile .mkstemp ()
791+
792+ original_text = "hello world!" .encode ("utf-8" )
793+
794+ with open (fh , "wb" ) as fp :
795+ fp .write (original_text )
796+
797+ def perform_put ():
798+ with self .connection (extra_params = {"uploads_base_path" : temp_path }) as conn :
799+ cursor = conn .cursor ()
800+ query = f"PUT '{ temp_path } { some_other_user }
801+ cursor .execute (query )
802+
803+ def perform_remove ():
804+ remove_query = (
805+ f"REMOVE 'stage://tmp/{ some_other_user }
806+ )
807+
808+ with self .connection (extra_params = {"uploads_base_path" : "/" }) as conn :
809+ cursor = conn .cursor ()
810+ cursor .execute (remove_query )
811+
812+ def perform_get ():
813+ with self .connection (extra_params = {"uploads_base_path" : temp_path }) as conn :
814+ cursor = conn .cursor ()
815+ query = f"GET 'stage://tmp/{ some_other_user } { temp_path }
816+ cursor .execute (query )
817+
818+ # PUT should fail with permissions error
819+ with pytest .raises (sql .exc .ServerOperationError , match = "PERMISSION_DENIED" ):
820+ perform_put ()
821+
822+ # REMOVE should fail with permissions error
823+ with pytest .raises (sql .exc .ServerOperationError , match = "PERMISSION_DENIED" ):
824+ perform_remove ()
825+
826+ # GET should fail with permissions error
827+ with pytest .raises (sql .exc .ServerOperationError , match = "PERMISSION_DENIED" ):
828+ perform_get ()
829+
784830 def test_staging_ingestion_put_fails_if_absolute_localFile_not_in_uploads_base_path (self ):
785831 """
786832 This test confirms that uploads_base_path and target_file are resolved into absolute paths.
0 commit comments