From 18fe766866865f464e942e4dd30f93d144d2bfdd Mon Sep 17 00:00:00 2001 From: zhengxie Date: Fri, 14 Sep 2018 14:59:54 +0800 Subject: [PATCH] [api2] Fix download repo perm --- seahub/api2/views.py | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/seahub/api2/views.py b/seahub/api2/views.py index de5b1075b9..d04dbeba56 100644 --- a/seahub/api2/views.py +++ b/seahub/api2/views.py @@ -1404,10 +1404,16 @@ class DownloadRepo(APIView): error_msg = 'Library %s not found.' % repo_id return api_error(status.HTTP_404_NOT_FOUND, error_msg) - if not check_folder_permission(request, repo_id, '/'): + perm = check_folder_permission(request, repo_id, '/') + if not perm: return api_error(status.HTTP_403_FORBIDDEN, 'You do not have permission to access this library.') + username = request.user.username + if not seafile_api.is_repo_syncable(repo_id, username, perm): + return api_error(status.HTTP_403_FORBIDDEN, + 'unsyncable share permission') + return repo_download_info(request, repo_id) @@ -4825,27 +4831,14 @@ class RepoTokensView(APIView): if any([not _REPO_ID_PATTERN.match(repo_id) for repo_id in repos_id]): return api_error(status.HTTP_400_BAD_REQUEST, "Libraries ids are invalid") - username = request.user.username tokens = {} for repo_id in repos_id: repo = seafile_api.get_repo(repo_id) if not repo: continue - perm = check_folder_permission(request, repo.id, '/') - if not perm: - res = { - 'reason': 'no permission', - 'unsyncable_path': '/' - } - return Response(res, status=status.HTTP_403_FORBIDDEN) - - if not seafile_api.is_repo_syncable(repo_id, username, perm): - res = { - 'reason': 'unsyncable share permission', - 'unsyncable_path': '/' - } - return Response(res, status=status.HTTP_403_FORBIDDEN) + if not check_folder_permission(request, repo.id, '/'): + continue tokens[repo_id] = seafile_api.generate_repo_token(repo_id, request.user.username)