From db5bf1f667930d1e207d852c00e7fa4861945c24 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jan 11 2017 11:47:01 +0000
Subject: Prevent re-uploading a file with the same name


Fixes https://pagure.io/pagure/issue/1666

---

diff --git a/pagure/ui/repo.py b/pagure/ui/repo.py
index 7a8c023..6997e05 100644
--- a/pagure/ui/repo.py
+++ b/pagure/ui/repo.py
@@ -980,8 +980,15 @@ def new_release(repo, username=None, namespace=None):
                     repo.fullname)
                 if not os.path.exists(folder):
                     os.makedirs(folder)
-                filestream.save(os.path.join(folder, filename))
-                flask.flash('File "%s" uploaded' % filename)
+                dest = os.path.join(folder, filename)
+                if os.path.exists(dest):
+                    raise pagure.exceptions.PagureException(
+                        'This tarball has already been uploaded')
+                else:
+                    filestream.save(dest)
+                    flask.flash('File "%s" uploaded' % filename)
+            except pagure.exceptions.PagureException as err:
+                flask.flash(str(err), 'error')
             except Exception as err:  # pragma: no cover
                 APP.logger.exception(err)
                 flask.flash('Upload failed', 'error')
diff --git a/tests/test_pagure_flask_ui_repo.py b/tests/test_pagure_flask_ui_repo.py
index 5523497..e09b029 100644
--- a/tests/test_pagure_flask_ui_repo.py
+++ b/tests/test_pagure_flask_ui_repo.py
@@ -3031,6 +3031,17 @@ index 0000000..fb7093d
                 'uploaded\n                    </div>', output.data)
             self.assertIn('This project has not been tagged.', output.data)
 
+            # Try uploading the same file -- fails
+            with open(img, mode='rb') as stream:
+                data = {'filestream': stream, 'csrf_token': csrf_token}
+                output = self.app.post(
+                    '/test/upload/', data=data, follow_redirects=True)
+            self.assertEqual(output.status_code, 200)
+            self.assertIn(
+                '</button>\n                      This tarball has already '
+                'been uploaded', output.data)
+            self.assertIn('This project has not been tagged.', output.data)
+
     @patch('pagure.ui.repo.admin_session_timedout')
     def test_add_token(self, ast):
         """ Test the add_token endpoint. """
@@ -3083,7 +3094,7 @@ index 0000000..fb7093d
 
             data = {'csrf_token': csrf_token, 'acls': ['issue_create']}
 
-            # Upload successful
+            # New token created
             data = {'csrf_token': csrf_token, 'acls': ['issue_create']}
             output = self.app.post(
                 '/test/token/new/', data=data, follow_redirects=True)