Stor: Upload into non-existing parents possible

[killua-eu]

Setup

HOST="https://10.146.149.150"
EMAIL="[email protected]"
PASS="[email protected]"
TOKEN=`curl -s -XPOST ${HOST}/api/core/v1/auth/signin -d "email=${EMAIL}&password=${PASS}" -k | jq -r .token`

Test

curl -k -H "Authorization: Bearer ${TOKEN}" -F 'actual_dir=APATHTHATDOESNTEXIST/5' -F 'upload_type=general' -F 'file[]=@./file1.txt' -F 'file[]=@./file2.txt' ... ${HOST}/api/stor/v1/upload

returns 500, should return 400

curl -k -H "Authorization: Bearer ${TOKEN}" -F 'actual_dir=worklog/-15' -F 'upload_type=general' -F 'file[]=@./file1.txt' -F 'file[]=@./file2.txt' ... ${HOST}/api/stor/v1/upload

allows invalid values such as -15 after the slash. only existing parents should go. again returning 400 seems nice + checking needs to be written. as of current, its completely missing.

omitting -F 'actual_dir=something/somethingelse' should respond with 400, responds with 500.

[killua-eu]

On the other hand

curl -k -H "Authorization: Bearer ${TOKEN}" -F 'actual_dir=worklog/' -F 'upload_type=general' -F 'file[]=@./file1.txt' -F 'file[]=@./file2.txt' ... ${HOST}/api/stor/v1/upload

meaning

• c_inherit_object = null
• c_inherit_table = worklog

should be generally possible. maybe we can restrict nullable objects to only some tables or require the rbac domain in such cases.

Content of this comment was fixed, null on object now allowed/supported.