From 70c16bb1b562dcfb55f5f3d9de2f9efd2f3d8725 Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Wed, 15 Sep 2021 05:05:56 -0400
Subject: [PATCH] tests: Check import of export of read-only pad ID

---
 .../backend/specs/api/importexportGetPost.js  | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/tests/backend/specs/api/importexportGetPost.js b/src/tests/backend/specs/api/importexportGetPost.js
index 9dd4defc8..584341cc0 100644
--- a/src/tests/backend/specs/api/importexportGetPost.js
+++ b/src/tests/backend/specs/api/importexportGetPost.js
@@ -151,6 +151,28 @@ describe(__filename, function () {
               it('writable pad ID is not leaked', async function () {
                 assert(!text.includes(testPadId));
               });
+
+              it('re-import to read-only pad ID gives 403 forbidden', async function () {
+                let req = agent.post(`/p/${readOnlyId}/import`)
+                    .attach('file', Buffer.from(text), {
+                      filename: `/test.${exportType}`,
+                      contentType: 'text/plain',
+                    });
+                if (authn) req = req.auth('user', 'user-password');
+                await req.expect(403);
+              });
+
+              it('re-import to read-write pad ID gives 200 OK', async function () {
+                // The new pad ID must differ from testPadId because Etherpad refuses to import
+                // .etherpad files on top of a pad that already has edits.
+                let req = agent.post(`/p/${testPadId}_import/import`)
+                    .attach('file', Buffer.from(text), {
+                      filename: `/test.${exportType}`,
+                      contentType: 'text/plain',
+                    });
+                if (authn) req = req.auth('user', 'user-password');
+                await req.expect(200);
+              });
             });
           }
         });