haiwen/seafile-server
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-server.git synced 2025-09-05 17:30:01 +00:00
Code Issues Releases Wiki Activity

Go add permission check (#528)

Browse Source
This commit is contained in:
feiniks
2021-12-14 17:38:03 +08:00
committed by GitHub
parent 6776e30631
commit f588d926de
1 changed files with 41 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
fileserver/sync_api.go
View File

@@ -178,7 +178,11 @@ func getBlockMapCB(rsp http.ResponseWriter, r *http.Request) *appError {
repoID := vars["repoid"] repoID := vars["repoid"]
fileID := vars["id"] fileID := vars["id"]
_, appErr := validateToken(r, repoID, false) user, appErr := validateToken(r, repoID, false)
if appErr != nil {
return appErr
}
appErr = checkPermission(repoID, user, "download", false)
if appErr != nil { if appErr != nil {
return appErr return appErr
} }
@@ -405,7 +409,11 @@ func postCheckExistCB(rsp http.ResponseWriter, r *http.Request, existType checkE
vars := mux.Vars(r) vars := mux.Vars(r)
repoID := vars["repoid"] repoID := vars["repoid"]
_, appErr := validateToken(r, repoID, false) user, appErr := validateToken(r, repoID, false)
if appErr != nil {
return appErr
}
appErr = checkPermission(repoID, user, "download", false)
if appErr != nil { if appErr != nil {
return appErr return appErr
} }
@@ -458,7 +466,11 @@ func packFSCB(rsp http.ResponseWriter, r *http.Request) *appError {
vars := mux.Vars(r) vars := mux.Vars(r)
repoID := vars["repoid"] repoID := vars["repoid"]
_, appErr := validateToken(r, repoID, false) user, appErr := validateToken(r, repoID, false)
if appErr != nil {
return appErr
}
appErr = checkPermission(repoID, user, "download", false)
if appErr != nil { if appErr != nil {
return appErr return appErr
} }
@@ -628,8 +640,13 @@ func getFsObjIDCB(rsp http.ResponseWriter, r *http.Request) *appError {
vars := mux.Vars(r) vars := mux.Vars(r)
repoID := vars["repoid"] repoID := vars["repoid"]
if _, err := validateToken(r, repoID, false); err != nil { user, appErr := validateToken(r, repoID, false)
return err if appErr != nil {
return appErr
}
appErr = checkPermission(repoID, user, "download", false)
if appErr != nil {
return appErr
} }
repo := repomgr.Get(repoID) repo := repomgr.Get(repoID)
if repo == nil { if repo == nil {
@@ -730,6 +747,11 @@ func getBlockInfo(rsp http.ResponseWriter, r *http.Request) *appError {
return appErr return appErr
} }
appErr = checkPermission(repoID, user, "download", false)
if appErr != nil {
return appErr
}
storeID, err := getRepoStoreID(repoID) storeID, err := getRepoStoreID(repoID)
if err != nil { if err != nil {
err := fmt.Errorf("Failed to get repo store id by repo id %s: %v", repoID, err) err := fmt.Errorf("Failed to get repo store id by repo id %s: %v", repoID, err)
@@ -854,8 +876,13 @@ func getCommitInfo(rsp http.ResponseWriter, r *http.Request) *appError {
vars := mux.Vars(r) vars := mux.Vars(r)
repoID := vars["repoid"] repoID := vars["repoid"]
commitID := vars["id"] commitID := vars["id"]
if _, err := validateToken(r, repoID, false); err != nil { user, appErr := validateToken(r, repoID, false)
return err if appErr != nil {
return appErr
}
appErr = checkPermission(repoID, user, "download", false)
if appErr != nil {
return appErr
} }
if exists, _ := commitmgr.Exists(repoID, commitID); !exists { if exists, _ := commitmgr.Exists(repoID, commitID); !exists {
log.Printf("%s:%s is missing", repoID, commitID) log.Printf("%s:%s is missing", repoID, commitID)
@@ -987,17 +1014,16 @@ func getHeadCommit(rsp http.ResponseWriter, r *http.Request) *appError {
func checkPermission(repoID, user, op string, skipCache bool) *appError { func checkPermission(repoID, user, op string, skipCache bool) *appError {
var info *permInfo var info *permInfo
if !skipCache { if !skipCache {
if value, ok := permCache.Load(fmt.Sprintf("%s:%s", repoID, user)); ok { if value, ok := permCache.Load(fmt.Sprintf("%s:%s:%s", repoID, user, op)); ok {
info = value.(*permInfo) info = value.(*permInfo)
} }
} }
if info != nil { if info != nil {
if info.perm == "r" && op == "upload" {
return &appError{nil, "", http.StatusForbidden}
}
return nil return nil
} }
permCache.Delete(fmt.Sprintf("%s:%s:%s", repoID, user, op))
if op == "upload" { if op == "upload" {
status, err := repomgr.GetRepoStatus(repoID) status, err := repomgr.GetRepoStatus(repoID)
if err != nil { if err != nil {
@@ -1011,18 +1037,16 @@ func checkPermission(repoID, user, op string, skipCache bool) *appError {
perm := share.CheckPerm(repoID, user) perm := share.CheckPerm(repoID, user)
if perm != "" { if perm != "" {
info = new(permInfo)
info.perm = perm
info.expireTime = time.Now().Unix() + permExpireTime
permCache.Store(fmt.Sprintf("%s:%s", repoID, user), info)
if perm == "r" && op == "upload" { if perm == "r" && op == "upload" {
return &appError{nil, "", http.StatusForbidden} return &appError{nil, "", http.StatusForbidden}
} }
info = new(permInfo)
info.perm = perm
info.expireTime = time.Now().Unix() + permExpireTime
permCache.Store(fmt.Sprintf("%s:%s:%s", repoID, user, op), info)
return nil return nil
} }
permCache.Delete(fmt.Sprintf("%s:%s", repoID, user))
return &appError{nil, "", http.StatusForbidden} return &appError{nil, "", http.StatusForbidden}
} }