diff --git a/seahub/api2/views.py b/seahub/api2/views.py index fd8e0b8954..f79fbdf4ce 100644 --- a/seahub/api2/views.py +++ b/seahub/api2/views.py @@ -1062,7 +1062,7 @@ class UploadLinkView(APIView): def get(self, request, repo_id, format=None): parent_dir = request.GET.get('p', '/') - if check_folder_permission(repo_id, parent_dir, request.user.username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') if check_quota(repo_id) < 0: @@ -1080,7 +1080,7 @@ class UpdateLinkView(APIView): def get(self, request, repo_id, format=None): parent_dir = request.GET.get('p', '/') - if check_folder_permission(repo_id, parent_dir, request.user.username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') if check_quota(repo_id) < 0: @@ -1098,7 +1098,7 @@ class UploadBlksLinkView(APIView): def get(self, request, repo_id, format=None): parent_dir = request.GET.get('p', '/') - if check_folder_permission(repo_id, parent_dir, request.user.username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') if check_quota(repo_id) < 0: @@ -1116,7 +1116,7 @@ class UpdateBlksLinkView(APIView): def get(self, request, repo_id, format=None): parent_dir = request.GET.get('p', '/') - if check_folder_permission(repo_id, parent_dir, request.user.username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') if check_quota(repo_id) < 0: @@ -1381,7 +1381,7 @@ class OpCopyView(APIView): return api_error(status.HTTP_400_BAD_REQUEST, 'Missing argument.') - if check_folder_permission(repo_id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') parent_dir = request.POST.get('p', '/') @@ -1517,7 +1517,7 @@ class FileView(APIView): path = request.GET.get('p', '') username = request.user.username parent_dir = os.path.dirname(path) - if check_folder_permission(repo_id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') if not path or path[0] != '/': @@ -1669,7 +1669,7 @@ class FileView(APIView): return api_error(status.HTTP_400_BAD_REQUEST, 'Path is missing.') parent_dir = os.path.dirname(path) - if check_folder_permission(repo_id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') parent_dir_utf8 = os.path.dirname(path).encode('utf-8') @@ -1747,7 +1747,7 @@ class FileRevert(APIView): parent_dir = os.path.dirname(path) username = request.uset.username - if check_folder_permission(repo_id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') path = unquote(path.encode('utf-8')) @@ -1919,7 +1919,7 @@ class DirView(APIView): 'You do not have permission to create folder.') parent_dir = os.path.dirname(path) - if check_folder_permission(repo_id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo_id, parent_dir) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') parent_dir_utf8 = parent_dir.encode('utf-8') @@ -1944,7 +1944,7 @@ class DirView(APIView): quote(new_dir_name_utf8) return resp elif operation.lower() == 'rename': - if check_folder_permission(repo.id, path, username) != 'rw': + if check_folder_permission(request, repo.id, path) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') if not is_repo_writable(repo.id, username): @@ -1994,7 +1994,7 @@ class DirView(APIView): if not path: return api_error(status.HTTP_400_BAD_REQUEST, 'Path is missing.') - if check_folder_permission(repo_id, path, username) != 'rw': + if check_folder_permission(request, repo_id, path) != 'rw': return api_error(status.HTTP_403_FORBIDDEN, 'Forbid to access this folder.') if path == '/': # Can not delete root path. diff --git a/seahub/share/views.py b/seahub/share/views.py index 7f0fbeeba0..4e612516e3 100644 --- a/seahub/share/views.py +++ b/seahub/share/views.py @@ -1260,7 +1260,7 @@ def get_shared_upload_link(request): messages.error(request, _(u'Library does not exist')) return HttpResponse(status=400, content_type=content_type) - user_perm = check_folder_permission(repo.id, path, request.user.username) + user_perm = check_folder_permission(request, repo.id, path) if user_perm == 'rw': l = UploadLinkShare.objects.filter(repo_id=repo_id).filter( diff --git a/seahub/templates/sysadmin/sys_list_system.html b/seahub/templates/sysadmin/sys_list_system.html index a58d15b3fb..84358aab1b 100644 --- a/seahub/templates/sysadmin/sys_list_system.html +++ b/seahub/templates/sysadmin/sys_list_system.html @@ -26,7 +26,7 @@ {% for repo in repos %} - {{ repo.props.name }} + {{ repo.props.name }} {{ repo.id }} {{ repo.props.desc }} diff --git a/seahub/views/__init__.py b/seahub/views/__init__.py index 679d5483f4..a172388e5d 100644 --- a/seahub/views/__init__.py +++ b/seahub/views/__init__.py @@ -99,13 +99,18 @@ def get_system_default_repo_id(): logger.error(e) return None -def check_folder_permission(repo_id, path, username): - repo_owner = seafile_api.get_repo_owner(repo_id) - if username == repo_owner: - return 'rw' +def check_folder_permission(request, repo_id, path): + """Check repo/folder access permission of a user, always return 'rw' + when repo is system repo and user is admin. - if path != '/' and path.endswith('/'): - path = path.rstrip('/') + Arguments: + - `request`: + - `repo_id`: + - `path`: + """ + username = request.user.username + if get_system_default_repo_id() == repo_id and request.user.is_staff: + return 'rw' return seafile_api.check_permission_by_path(repo_id, path, username) @@ -185,6 +190,9 @@ def get_repo_dirents_with_perm(request, repo, commit, path, offset=-1, limit=-1) to be pulled out to multiple functions. """ + if get_system_default_repo_id() == repo.id: + return get_repo_dirents(request, repo, commit, path, offset, limit) + dir_list = [] file_list = [] dirent_more = False @@ -1464,7 +1472,7 @@ def repo_revert_file(request, repo_id): return render_error(request, _(u"Invalid arguments")) # perm check - if check_folder_permission(repo.id, path, request.user.username) != 'rw': + if check_folder_permission(request, repo.id, path) != 'rw': next = request.META.get('HTTP_REFERER', None) if not next: next = settings.SITE_ROOT @@ -1515,7 +1523,7 @@ def repo_revert_dir(request, repo_id): return render_error(request, _(u"Invalid arguments")) # perm check - if check_folder_permission(repo.id, path, request.user.username) != 'rw': + if check_folder_permission(request, repo.id, path) != 'rw': next = request.META.get('HTTP_REFERER', None) if not next: next = settings.SITE_ROOT diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py index 3ed7881f1c..46e4c490ba 100644 --- a/seahub/views/ajax.py +++ b/seahub/views/ajax.py @@ -530,7 +530,7 @@ def new_dirent_common(func): # permission checking username = request.user.username - if check_folder_permission(repo.id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo.id, parent_dir) != 'rw': result['error'] = _('Permission denied') return HttpResponse(json.dumps(result), status=403, content_type=content_type) @@ -628,14 +628,14 @@ def rename_dirent(request, repo_id): full_path = os.path.join(parent_dir, oldname) if seafile_api.get_dir_id_by_path(repo.id, full_path) is not None: # when dirent is a dir, check current dir perm - if check_folder_permission(repo.id, full_path, username) != 'rw': + if check_folder_permission(request, repo.id, full_path) != 'rw': err_msg = _('Permission denied') return HttpResponse(json.dumps({'error': err_msg}), status=403, content_type=content_type) if seafile_api.get_file_id_by_path(repo.id, full_path) is not None: # when dirent is a file, check parent dir perm - if check_folder_permission(repo.id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo.id, parent_dir) != 'rw': err_msg = _('Permission denied') return HttpResponse(json.dumps({'error': err_msg}), status=403, content_type=content_type) @@ -684,14 +684,14 @@ def delete_dirent(request, repo_id): if seafile_api.get_dir_id_by_path(repo.id, full_path) is not None: # when dirent is a dir, check current dir perm - if check_folder_permission(repo.id, full_path, username) != 'rw': + if check_folder_permission(request, repo.id, full_path) != 'rw': err_msg = _('Permission denied') return HttpResponse(json.dumps({'error': err_msg}), status=403, content_type=content_type) if seafile_api.get_file_id_by_path(repo.id, full_path) is not None: # when dirent is a file, check parent dir perm - if check_folder_permission(repo.id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo.id, parent_dir) != 'rw': err_msg = _('Permission denied') return HttpResponse(json.dumps({'error': err_msg}), status=403, content_type=content_type) @@ -730,7 +730,7 @@ def delete_dirents(request, repo_id): # permission checking username = request.user.username - if check_folder_permission(repo.id, parent_dir, username) != 'rw': + if check_folder_permission(request, repo.id, parent_dir) != 'rw': err_msg = _(u'Permission denied.') return HttpResponse(json.dumps({'error': err_msg}), status=403, content_type=content_type) @@ -748,70 +748,81 @@ def delete_dirents(request, repo_id): return HttpResponse(json.dumps({'deleted': deleted, 'undeleted': undeleted}), content_type=content_type) -def copy_move_common(func): +def copy_move_common(): """Decorator for common logic in copying/moving dir/file. """ - def _decorated(request, repo_id, *args, **kwargs): - if request.method != 'POST': - raise Http404 + def _method_wrapper(view_method): + def _arguments_wrapper(request, repo_id, *args, **kwargs): + if request.method != 'POST': + raise Http404 - result = {} - content_type = 'application/json; charset=utf-8' + result = {} + content_type = 'application/json; charset=utf-8' - repo = get_repo(repo_id) - if not repo: - result['error'] = _(u'Library does not exist.') - return HttpResponse(json.dumps(result), status=400, - content_type=content_type) + repo = get_repo(repo_id) + if not repo: + result['error'] = _(u'Library does not exist.') + return HttpResponse(json.dumps(result), status=400, + content_type=content_type) - # arguments validation - path = request.GET.get('path') - obj_name = request.GET.get('obj_name') - dst_repo_id = request.POST.get('dst_repo') - dst_path = request.POST.get('dst_path') + # arguments validation + path = request.GET.get('path') + obj_name = request.GET.get('obj_name') + dst_repo_id = request.POST.get('dst_repo') + dst_path = request.POST.get('dst_path') + if not (path and obj_name and dst_repo_id and dst_path): + result['error'] = _('Argument missing') + return HttpResponse(json.dumps(result), status=400, + content_type=content_type) - if not (path and obj_name and dst_repo_id and dst_path): - result['error'] = _('Argument missing') - return HttpResponse(json.dumps(result), status=400, - content_type=content_type) + # check file path + if len(dst_path + obj_name) > settings.MAX_PATH: + result['error'] = _('Destination path is too long.') + return HttpResponse(json.dumps(result), status=400, + content_type=content_type) - # permission checking - username = request.user.username - if check_folder_permission(repo.id, path, username) != 'rw': - result['error'] = _('Permission denied') - return HttpResponse(json.dumps(result), status=403, - content_type=content_type) + # return error when dst is the same as src + if repo_id == dst_repo_id and path == dst_path: + result['error'] = _('Invalid destination path') + return HttpResponse(json.dumps(result), status=400, + content_type=content_type) - # check file path - if len(dst_path+obj_name) > settings.MAX_PATH: - result['error'] = _('Destination path is too long.') - return HttpResponse(json.dumps(result), status=400, - content_type=content_type) + # check whether user has write permission to dest repo + if check_folder_permission(request, dst_repo_id, dst_path) != 'rw': + result['error'] = _('Permission denied') + return HttpResponse(json.dumps(result), status=403, + content_type=content_type) - # check whether user has write permission to dest repo - if check_repo_access_permission(dst_repo_id, request.user) != 'rw': - result['error'] = _('Permission denied') - return HttpResponse(json.dumps(result), status=403, - content_type=content_type) + # Leave src folder/file permission checking to corresponding + # views, only need to check folder permission when perform 'move' + # operation, 1), if move file, check parent dir perm, 2), if move + # folder, check that folder perm. - # do nothing when dst is the same as src - if repo_id == dst_repo_id and path == dst_path: - result['error'] = _('Invalid destination path') - return HttpResponse(json.dumps(result), status=400, content_type=content_type) - return func(repo_id, path, dst_repo_id, dst_path, obj_name, username) - return _decorated + return view_method(request, repo_id, path, dst_repo_id, dst_path, + obj_name) + + return _arguments_wrapper + + return _method_wrapper @login_required_ajax -@copy_move_common -def mv_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): +@copy_move_common() +def mv_file(request, src_repo_id, src_path, dst_repo_id, dst_path, obj_name): result = {} content_type = 'application/json; charset=utf-8' + username = request.user.username + + # check parent dir perm + if check_folder_permission(request, src_repo_id, src_path) != 'rw': + result['error'] = _('Permission denied') + return HttpResponse(json.dumps(result), status=403, + content_type=content_type) new_obj_name = check_filename_with_rename(dst_repo_id, dst_path, obj_name) - try: res = seafile_api.move_file(src_repo_id, src_path, obj_name, - dst_repo_id, dst_path, new_obj_name, username, need_progress=1) + dst_repo_id, dst_path, new_obj_name, + username, need_progress=1) except SearpcError, e: res = None @@ -830,16 +841,17 @@ def mv_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): return HttpResponse(json.dumps(result), content_type=content_type) @login_required_ajax -@copy_move_common -def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): +@copy_move_common() +def cp_file(request, src_repo_id, src_path, dst_repo_id, dst_path, obj_name): result = {} content_type = 'application/json; charset=utf-8' + username = request.user.username new_obj_name = check_filename_with_rename(dst_repo_id, dst_path, obj_name) - try: res = seafile_api.copy_file(src_repo_id, src_path, obj_name, - dst_repo_id, dst_path, new_obj_name, username, need_progress=1) + dst_repo_id, dst_path, new_obj_name, + username, need_progress=1) except SearpcError, e: res = None @@ -858,32 +870,30 @@ def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): return HttpResponse(json.dumps(result), content_type=content_type) @login_required_ajax -@copy_move_common -def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): +@copy_move_common() +def mv_dir(request, src_repo_id, src_path, dst_repo_id, dst_path, obj_name): result = {} content_type = 'application/json; charset=utf-8' + username = request.user.username src_dir = os.path.join(src_path, obj_name) - - # permission checking - dst_repo_owner = seafile_api.get_repo_owner(dst_repo_id) - if check_folder_permission(src_repo_id, src_dir, username) != 'rw' or \ - check_folder_permission(dst_repo_id, dst_path, dst_repo_owner) != 'rw': - result['error'] = _('Permission denied') - return HttpResponse(json.dumps(result), status=403, - content_type=content_type) - if dst_path.startswith(src_dir + '/'): error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \ % {'src': escape(src_dir), 'des': escape(dst_path)} result['error'] = error_msg return HttpResponse(json.dumps(result), status=400, content_type=content_type) - new_obj_name = check_filename_with_rename(dst_repo_id, dst_path, obj_name) + # check dir perm + if check_folder_permission(request, src_repo_id, src_dir) != 'rw': + result['error'] = _('Permission denied') + return HttpResponse(json.dumps(result), status=403, + content_type=content_type) + new_obj_name = check_filename_with_rename(dst_repo_id, dst_path, obj_name) try: res = seafile_api.move_file(src_repo_id, src_path, obj_name, - dst_repo_id, dst_path, new_obj_name, username, need_progress=1) + dst_repo_id, dst_path, new_obj_name, + username, need_progress=1) except SearpcError, e: res = None @@ -902,18 +912,11 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): return HttpResponse(json.dumps(result), content_type=content_type) @login_required_ajax -@copy_move_common -def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): +@copy_move_common() +def cp_dir(request, src_repo_id, src_path, dst_repo_id, dst_path, obj_name): result = {} content_type = 'application/json; charset=utf-8' - - # permission checking - dst_repo_owner = seafile_api.get_repo_owner(dst_repo_id) - if check_folder_permission(src_repo_id, src_path, username) != 'rw' or \ - check_folder_permission(dst_repo_id, dst_path, dst_repo_owner) != 'rw': - result['error'] = _('Permission denied') - return HttpResponse(json.dumps(result), status=403, - content_type=content_type) + username = request.user.username src_dir = os.path.join(src_path, obj_name) if dst_path.startswith(src_dir): @@ -926,7 +929,8 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): try: res = seafile_api.copy_file(src_repo_id, src_path, obj_name, - dst_repo_id, dst_path, new_obj_name, username, need_progress=1) + dst_repo_id, dst_path, new_obj_name, + username, need_progress=1) except SearpcError, e: res = None @@ -945,72 +949,84 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): return HttpResponse(json.dumps(result), content_type=content_type) -def dirents_copy_move_common(func): +def dirents_copy_move_common(): """ - Decorator for common logic in copying/moving dirs/files. + Decorator for common logic in copying/moving dirs/files in batch. """ - def _decorated(request, repo_id, *args, **kwargs): + def _method_wrapper(view_method): + def _arguments_wrapper(request, repo_id, *args, **kwargs): + if request.method != 'POST': + raise Http404 - if request.method != 'POST': - raise Http404 + result = {} + content_type = 'application/json; charset=utf-8' - result = {} - content_type = 'application/json; charset=utf-8' - - repo = get_repo(repo_id) - if not repo: - result['error'] = _(u'Library does not exist.') - return HttpResponse(json.dumps(result), status=400, - content_type=content_type) - - # arguments validation - parent_dir = request.GET.get('parent_dir') - obj_file_names = request.POST.getlist('file_names') - obj_dir_names = request.POST.getlist('dir_names') - dst_repo_id = request.POST.get('dst_repo') - dst_path = request.POST.get('dst_path') - - if not (parent_dir and dst_repo_id and dst_path) and not (obj_file_names or obj_dir_names): - result['error'] = _('Argument missing') - return HttpResponse(json.dumps(result), status=400, - content_type=content_type) - - # permission checking - username = request.user.username - if check_folder_permission(repo.id, parent_dir, username) != 'rw': - result['error'] = _('Permission denied') - return HttpResponse(json.dumps(result), status=403, - content_type=content_type) - - # check file path - for obj_name in obj_file_names + obj_dir_names: - if len(dst_path+obj_name) > settings.MAX_PATH: - result['error'] = _('Destination path is too long for %s.') % escape(obj_name) + repo = get_repo(repo_id) + if not repo: + result['error'] = _(u'Library does not exist.') return HttpResponse(json.dumps(result), status=400, - content_type=content_type) + content_type=content_type) - # check whether user has write permission to dest repo - if check_repo_access_permission(dst_repo_id, request.user) != 'rw': - result['error'] = _('Permission denied') - return HttpResponse(json.dumps(result), status=403, - content_type=content_type) + # arguments validation + parent_dir = request.GET.get('parent_dir') + obj_file_names = request.POST.getlist('file_names') + obj_dir_names = request.POST.getlist('dir_names') + dst_repo_id = request.POST.get('dst_repo') + dst_path = request.POST.get('dst_path') + if not (parent_dir and dst_repo_id and dst_path) and \ + not (obj_file_names or obj_dir_names): + result['error'] = _('Argument missing') + return HttpResponse(json.dumps(result), status=400, + content_type=content_type) - # when dst is the same as src - if repo_id == dst_repo_id and parent_dir == dst_path: - result['error'] = _('Invalid destination path') - return HttpResponse(json.dumps(result), status=400, content_type=content_type) + # check file path + for obj_name in obj_file_names + obj_dir_names: + if len(dst_path+obj_name) > settings.MAX_PATH: + result['error'] = _('Destination path is too long for %s.') % escape(obj_name) + return HttpResponse(json.dumps(result), status=400, + content_type=content_type) - return func(repo_id, parent_dir, dst_repo_id, dst_path, obj_file_names, obj_dir_names, username) - return _decorated + # when dst is the same as src + if repo_id == dst_repo_id and parent_dir == dst_path: + result['error'] = _('Invalid destination path') + return HttpResponse(json.dumps(result), status=400, + content_type=content_type) + + # check whether user has write permission to dest repo + if check_folder_permission(request, dst_repo_id, dst_path) != 'rw': + result['error'] = _('Permission denied') + return HttpResponse(json.dumps(result), status=403, + content_type=content_type) + + # Leave src folder/file permission checking to corresponding + # views, only need to check folder permission when perform 'move' + # operation, 1), if move file, check parent dir perm, 2), if move + # folder, check that folder perm. + + return view_method(request, repo_id, parent_dir, dst_repo_id, + dst_path, obj_file_names, obj_dir_names) + + return _arguments_wrapper + + return _method_wrapper @login_required_ajax -@dirents_copy_move_common -def mv_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj_dir_names, username): +@dirents_copy_move_common() +def mv_dirents(request, src_repo_id, src_path, dst_repo_id, dst_path, + obj_file_names, obj_dir_names): result = {} content_type = 'application/json; charset=utf-8' + username = request.user.username failed = [] + allowed_files = [] allowed_dirs = [] - dst_repo_owner = seafile_api.get_repo_owner(dst_repo_id) + + # check parent dir perm for files + if check_folder_permission(request, src_repo_id, src_path) != 'rw': + allowed_files = [] + failed += obj_file_names + else: + allowed_files = obj_file_names for obj_name in obj_dir_names: src_dir = os.path.join(src_path, obj_name) @@ -1020,17 +1036,15 @@ def mv_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj result['error'] = error_msg return HttpResponse(json.dumps(result), status=400, content_type=content_type) - # permission checking - if check_folder_permission(src_repo_id, obj_name, username) != 'rw' or \ - check_folder_permission(dst_repo_id, dst_path, dst_repo_owner) != 'rw': + # check every folder perm + if check_folder_permission(request, src_repo_id, src_dir) != 'rw': failed.append(obj_name) else: allowed_dirs.append(obj_name) success = [] url = None - - for obj_name in obj_file_names + allowed_dirs: + for obj_name in allowed_files + allowed_dirs: new_obj_name = check_filename_with_rename(dst_repo_id, dst_path, obj_name) try: res = seafile_api.move_file(src_repo_id, src_path, obj_name, @@ -1050,15 +1064,11 @@ def mv_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj return HttpResponse(json.dumps(result), content_type=content_type) @login_required_ajax -@dirents_copy_move_common +@dirents_copy_move_common() def cp_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj_dir_names, username): result = {} content_type = 'application/json; charset=utf-8' - failed = [] - allowed_dirs = [] - dst_repo_owner = seafile_api.get_repo_owner(dst_repo_id) - for obj_name in obj_dir_names: src_dir = os.path.join(src_path, obj_name) if dst_path.startswith(src_dir): @@ -1067,17 +1077,10 @@ def cp_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj result['error'] = error_msg return HttpResponse(json.dumps(result), status=400, content_type=content_type) - # permission checking - if check_folder_permission(src_repo_id, obj_name, username) != 'rw' or \ - check_folder_permission(dst_repo_id, dst_path, dst_repo_owner) != 'rw': - failed.append(obj_name) - else: - allowed_dirs.append(obj_name) - + failed = [] success = [] url = None - - for obj_name in obj_file_names + allowed_dirs: + for obj_name in obj_file_names: new_obj_name = check_filename_with_rename(dst_repo_id, dst_path, obj_name) try: res = seafile_api.copy_file(src_repo_id, src_path, obj_name, @@ -1793,7 +1796,7 @@ def get_file_op_url(request, repo_id): username = request.user.username # permission checking - if check_folder_permission(repo.id, path, username) != 'rw': + if check_folder_permission(request, repo.id, path) != 'rw': err_msg = _(u'Permission denied') return HttpResponse(json.dumps({"error": err_msg}), status=403, content_type=content_type) diff --git a/seahub/views/file.py b/seahub/views/file.py index 7c905f4c87..8460467a1f 100644 --- a/seahub/views/file.py +++ b/seahub/views/file.py @@ -993,7 +993,7 @@ def file_edit(request, repo_id): filename = urllib2.quote(u_filename.encode('utf-8')) parent_dir = os.path.dirname(path) - if check_folder_permission(repo.id, parent_dir, request.user.username) != 'rw': + if check_folder_permission(request, repo.id, parent_dir) != 'rw': return render_permission_error(request, _(u'Unable to edit file')) head_id = repo.head_cmmt_id diff --git a/seahub/views/repo.py b/seahub/views/repo.py index 4e09c2652f..e9d0769911 100644 --- a/seahub/views/repo.py +++ b/seahub/views/repo.py @@ -24,7 +24,8 @@ from seahub.share.models import FileShare, UploadLinkShare, \ check_share_link_access, set_share_link_access from seahub.share.forms import SharedLinkPasswordForm from seahub.views import gen_path_link, get_repo_dirents, \ - check_repo_access_permission, get_repo_dirents_with_perm + check_repo_access_permission, get_repo_dirents_with_perm, \ + get_system_default_repo_id from seahub.utils import gen_file_upload_url, is_org_context, \ get_fileserver_root, gen_dir_share_link, gen_shared_upload_link, \ @@ -221,10 +222,9 @@ def render_repo(request, repo): else: show_repo_settings = False + file_list, dir_list, dirent_more = get_repo_dirents_with_perm( + request, repo, head_commit, path, offset=0, limit=100) more_start = None - file_list, dir_list, dirent_more = get_repo_dirents_with_perm(request, repo, - head_commit, path, - offset=0, limit=100) if dirent_more: more_start = 100 zipped = get_nav_path(path, repo.name)