haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-09-20 10:58:33 +00:00
Code Issues Releases Wiki Activity

[share] Add owner checking for private file share

Browse Source
This commit is contained in:
zhengxie
2015-10-14 17:01:28 +08:00
parent e24df0dddc
commit 1aa145e181
7 changed files with 68 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
seahub/share/models.py
View File

@@ -151,6 +151,9 @@ class FileShare(models.Model):
else: else:
return False return False
def is_owner(self, owner):
return owner == self.username
class OrgFileShareManager(models.Manager): class OrgFileShareManager(models.Manager):
def set_org_file_share(self, org_id, file_share): def set_org_file_share(self, org_id, file_share):
"""Set a share link as org share link. """Set a share link as org share link.
@@ -233,6 +236,9 @@ class UploadLinkShare(models.Model):
def is_encrypted(self): def is_encrypted(self):
return True if self.password is not None else False return True if self.password is not None else False
def is_owner(self, owner):
return owner == self.username
class PrivateFileDirShareManager(models.Manager): class PrivateFileDirShareManager(models.Manager):
def add_private_file_share(self, from_user, to_user, repo_id, path, perm): def add_private_file_share(self, from_user, to_user, repo_id, path, perm):
""" """

5
seahub/share/urls.py
View File

@@ -12,18 +12,13 @@ urlpatterns = patterns('',
url(r'^remove/$', repo_remove_share, name='repo_remove_share'), url(r'^remove/$', repo_remove_share, name='repo_remove_share'),
url(r'^link/get/$', get_shared_link, name='get_shared_link'), url(r'^link/get/$', get_shared_link, name='get_shared_link'),
url(r'^link/remove/$', remove_shared_link, name='remove_shared_link'),
url(r'^ajax/link/remove/$', ajax_remove_shared_link, name='ajax_remove_shared_link'), url(r'^ajax/link/remove/$', ajax_remove_shared_link, name='ajax_remove_shared_link'),
url(r'^link/send/$', send_shared_link, name='send_shared_link'), url(r'^link/send/$', send_shared_link, name='send_shared_link'),
url(r'^link/save/$', save_shared_link, name='save_shared_link'), url(r'^link/save/$', save_shared_link, name='save_shared_link'),
url(r'^upload_link/get/$', get_shared_upload_link, name='get_shared_upload_link'), url(r'^upload_link/get/$', get_shared_upload_link, name='get_shared_upload_link'),
url(r'^upload_link/remove/$', remove_shared_upload_link, name='remove_shared_upload_link'),
url(r'^ajax/upload_link/remove/$', ajax_remove_shared_upload_link, name='ajax_remove_shared_upload_link'), url(r'^ajax/upload_link/remove/$', ajax_remove_shared_upload_link, name='ajax_remove_shared_upload_link'),
url(r'^upload_link/send/$', send_shared_upload_link, name='send_shared_upload_link'), url(r'^upload_link/send/$', send_shared_upload_link, name='send_shared_upload_link'),
url(r'^permission_admin/$', share_permission_admin, name='share_permission_admin'), url(r'^permission_admin/$', share_permission_admin, name='share_permission_admin'),

71
seahub/share/views.py
View File

@@ -868,65 +868,36 @@ def get_shared_link(request):
data = json.dumps({'token': token, 'shared_link': shared_link}) data = json.dumps({'token': token, 'shared_link': shared_link})
return HttpResponse(data, status=200, content_type=content_type) return HttpResponse(data, status=200, content_type=content_type)
@login_required
def remove_shared_link(request):
"""
Handle request to remove file shared link.
"""
token = request.GET.get('t')
FileShare.objects.filter(token=token).delete()
next = request.META.get('HTTP_REFERER', None)
if not next:
next = reverse('share_admin')
messages.success(request, _(u'Removed successfully'))
return HttpResponseRedirect(next)
@login_required_ajax @login_required_ajax
def ajax_remove_shared_link(request): def ajax_remove_shared_link(request):
username = request.user.username
content_type = 'application/json; charset=utf-8' content_type = 'application/json; charset=utf-8'
result = {} result = {}
token = request.GET.get('t') token = request.GET.get('t')
if not token: if not token:
result = {'error': _(u"Argument missing")} result = {'error': _(u"Argument missing")}
return HttpResponse(json.dumps(result), status=400, content_type=content_type) return HttpResponse(json.dumps(result), status=400, content_type=content_type)
try: try:
link = FileShare.objects.get(token=token) link = FileShare.objects.get(token=token)
link.delete() except FileShare.DoesNotExist:
result = {'success': True}
return HttpResponse(json.dumps(result), content_type=content_type)
except:
result = {'error': _(u"The link doesn't exist")} result = {'error': _(u"The link doesn't exist")}
return HttpResponse(json.dumps(result), status=400, content_type=content_type) return HttpResponse(json.dumps(result), status=400, content_type=content_type)
if not link.is_owner(username):
result = {'error': _("Permission denied")}
return HttpResponse(json.dumps(result), status=403,
content_type=content_type)
@login_required link.delete()
def remove_shared_upload_link(request): result = {'success': True}
""" return HttpResponse(json.dumps(result), content_type=content_type)
Handle request to remove shared upload link.
"""
token = request.GET.get('t')
UploadLinkShare.objects.filter(token=token).delete()
next = request.META.get('HTTP_REFERER', None)
if not next:
next = reverse('share_admin')
messages.success(request, _(u'Removed successfully'))
return HttpResponseRedirect(next)
@login_required_ajax @login_required_ajax
def ajax_remove_shared_upload_link(request): def ajax_remove_shared_upload_link(request):
username = request.user.username
content_type = 'application/json; charset=utf-8' content_type = 'application/json; charset=utf-8'
result = {} result = {}
@@ -937,12 +908,17 @@ def ajax_remove_shared_upload_link(request):
try: try:
upload_link = UploadLinkShare.objects.get(token=token) upload_link = UploadLinkShare.objects.get(token=token)
except UploadLinkShare.DoesNotExist:
result = {'error': _(u"The link doesn't exist")}
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
if not upload_link.is_owner(username):
result = {'error': _("Permission denied")}
return HttpResponse(json.dumps(result), status=403,
content_type=content_type)
upload_link.delete() upload_link.delete()
result = {'success': True} result = {'success': True}
return HttpResponse(json.dumps(result), content_type=content_type) return HttpResponse(json.dumps(result), content_type=content_type)
except:
result = {'error': _(u"The link doesn't exist")}
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
@login_required_ajax @login_required_ajax
@@ -1075,6 +1051,14 @@ def gen_private_file_share(request, repo_id):
file_or_dir = os.path.basename(path.rstrip('/')) file_or_dir = os.path.basename(path.rstrip('/'))
username = request.user.username username = request.user.username
next = request.META.get('HTTP_REFERER', None)
if not next:
next = SITE_ROOT
if not check_folder_permission(request, repo_id, file_or_dir):
messages.error(request, _('Permission denied'))
return HttpResponseRedirect(next)
for email in [e.strip() for e in emails if e.strip()]: for email in [e.strip() for e in emails if e.strip()]:
if not is_valid_username(email): if not is_valid_username(email):
continue continue
@@ -1096,9 +1080,6 @@ def gen_private_file_share(request, repo_id):
share_file_to_user_successful.send(sender=None, priv_share_obj=pfds) share_file_to_user_successful.send(sender=None, priv_share_obj=pfds)
messages.success(request, _('Successfully shared %s.') % file_or_dir) messages.success(request, _('Successfully shared %s.') % file_or_dir)
next = request.META.get('HTTP_REFERER', None)
if not next:
next = SITE_ROOT
return HttpResponseRedirect(next) return HttpResponseRedirect(next)
@login_required @login_required

2
seahub/templates/sysadmin/sys_publink_admin.html
View File

@@ -22,7 +22,7 @@
<td>{{ publink.ctime|translate_seahub_time }} </td> <td>{{ publink.ctime|translate_seahub_time }} </td>
<td>{{ publink.view_cnt }}</td> <td>{{ publink.view_cnt }}</td>
<td> <td>
<a class="op-icon vh" href="{% url 'remove_shared_link' %}?t={{ publink.token }}" title="{% trans "Remove" %}"> <a class="op-icon vh" href="{% url 'sys_publink_remove' %}?t={{ publink.token }}" title="{% trans "Remove" %}">
<img src="{{MEDIA_URL}}img/rm.png" alt="" /> <img src="{{MEDIA_URL}}img/rm.png" alt="" />
</a> </a>
</td> </td>

4
seahub/templates/sysadmin/userinfo.html
View File

@@ -161,7 +161,7 @@
<td>{% trans "Download" %}</td> <td>{% trans "Download" %}</td>
<td>{{ link.view_cnt }}</td> <td>{{ link.view_cnt }}</td>
<td> <td>
<a class="op vh" href="{% url 'remove_shared_link' %}?t={{ link.token }}">{% trans "Remove"%}</a> <a class="op vh" href="{% url 'sys_publink_remove' %}?t={{ link.token }}">{% trans "Remove"%}</a>
</td> </td>
{% else %} {% else %}
<td class="alc"><img src="{{ MEDIA_URL }}img/folder-icon-24.png" alt="{% trans "Directory icon"%}" /></td> <td class="alc"><img src="{{ MEDIA_URL }}img/folder-icon-24.png" alt="{% trans "Directory icon"%}" /></td>
@@ -170,7 +170,7 @@
<td>{% trans "Upload" %}</td> <td>{% trans "Upload" %}</td>
<td>{{ link.view_cnt }}</td> <td>{{ link.view_cnt }}</td>
<td> <td>
<a class="op vh" href="{% url 'remove_shared_upload_link' %}?t={{ link.token }}">{% trans "Remove"%}</a> <a class="op vh" href="{% url 'sys_upload_link_remove' %}?t={{ link.token }}">{% trans "Remove"%}</a>
</td> </td>
{% endif %} {% endif %}
</tr> </tr>

2
seahub/urls.py
View File

@@ -231,6 +231,8 @@ urlpatterns = patterns(
url(r'^sys/orgadmin/(?P<org_id>\d+)/library/$', sys_org_info_library, name='sys_org_info_library'), url(r'^sys/orgadmin/(?P<org_id>\d+)/library/$', sys_org_info_library, name='sys_org_info_library'),
url(r'^sys/orgadmin/(?P<org_id>\d+)/setting/$', sys_org_info_setting, name='sys_org_info_setting'), url(r'^sys/orgadmin/(?P<org_id>\d+)/setting/$', sys_org_info_setting, name='sys_org_info_setting'),
url(r'^sys/publinkadmin/$', sys_publink_admin, name='sys_publink_admin'), url(r'^sys/publinkadmin/$', sys_publink_admin, name='sys_publink_admin'),
url(r'^sys/publink/remove/$', sys_publink_remove, name='sys_publink_remove'),
url(r'^sys/uploadlink/remove/$', sys_upload_link_remove, name='sys_upload_link_remove'),
url(r'^sys/notificationadmin/', notification_list, name='notification_list'), url(r'^sys/notificationadmin/', notification_list, name='notification_list'),
url(r'^sys/sudo/', sys_sudo_mode, name='sys_sudo_mode'), url(r'^sys/sudo/', sys_sudo_mode, name='sys_sudo_mode'),
url(r'^useradmin/add/$', user_add, name="user_add"), url(r'^useradmin/add/$', user_add, name="user_add"),

30
seahub/views/sysadmin.py
View File

@@ -1511,6 +1511,36 @@ def sys_publink_admin(request):
}, },
context_instance=RequestContext(request)) context_instance=RequestContext(request))
@login_required
@sys_staff_required
def sys_publink_remove(request):
"""Remove share links.
"""
token = request.GET.get('t')
FileShare.objects.filter(token=token).delete()
next = request.META.get('HTTP_REFERER', None)
if not next:
next = reverse('share_admin')
messages.success(request, _(u'Removed successfully'))
return HttpResponseRedirect(next)
@login_required
@sys_staff_required
def sys_upload_link_remove(request):
"""Remove shared upload links.
"""
token = request.GET.get('t')
UploadLinkShare.objects.filter(token=token).delete()
next = request.META.get('HTTP_REFERER', None)
if not next:
next = reverse('share_admin')
messages.success(request, _(u'Removed successfully'))
return HttpResponseRedirect(next)
@login_required @login_required
@sys_staff_required @sys_staff_required
def user_search(request): def user_search(request):