mirror of
https://github.com/haiwen/seahub.git
synced 2025-09-20 02:48:51 +00:00
[share] Add owner checking for private file share
This commit is contained in:
zhengxie
@@ -151,6 +151,9 @@ class FileShare(models.Model):
|
||||
else:
|
||||
return False
|
||||
|
||||
def is_owner(self, owner):
|
||||
return owner == self.username
|
||||
|
||||
class OrgFileShareManager(models.Manager):
|
||||
def set_org_file_share(self, org_id, file_share):
|
||||
"""Set a share link as org share link.
|
||||
@@ -233,6 +236,9 @@ class UploadLinkShare(models.Model):
|
||||
def is_encrypted(self):
|
||||
return True if self.password is not None else False
|
||||
|
||||
def is_owner(self, owner):
|
||||
return owner == self.username
|
||||
|
||||
class PrivateFileDirShareManager(models.Manager):
|
||||
def add_private_file_share(self, from_user, to_user, repo_id, path, perm):
|
||||
"""
|
||||
|
||||
@@ -12,18 +12,13 @@ urlpatterns = patterns('',
|
||||
url(r'^remove/$', repo_remove_share, name='repo_remove_share'),
|
||||
|
||||
url(r'^link/get/$', get_shared_link, name='get_shared_link'),
|
||||
url(r'^link/remove/$', remove_shared_link, name='remove_shared_link'),
|
||||
|
||||
url(r'^ajax/link/remove/$', ajax_remove_shared_link, name='ajax_remove_shared_link'),
|
||||
|
||||
url(r'^link/send/$', send_shared_link, name='send_shared_link'),
|
||||
url(r'^link/save/$', save_shared_link, name='save_shared_link'),
|
||||
|
||||
url(r'^upload_link/get/$', get_shared_upload_link, name='get_shared_upload_link'),
|
||||
url(r'^upload_link/remove/$', remove_shared_upload_link, name='remove_shared_upload_link'),
|
||||
|
||||
url(r'^ajax/upload_link/remove/$', ajax_remove_shared_upload_link, name='ajax_remove_shared_upload_link'),
|
||||
|
||||
url(r'^upload_link/send/$', send_shared_upload_link, name='send_shared_upload_link'),
|
||||
|
||||
url(r'^permission_admin/$', share_permission_admin, name='share_permission_admin'),
|
||||
|
||||
@@ -868,65 +868,36 @@ def get_shared_link(request):
|
||||
data = json.dumps({'token': token, 'shared_link': shared_link})
|
||||
return HttpResponse(data, status=200, content_type=content_type)
|
||||
|
||||
@login_required
|
||||
def remove_shared_link(request):
|
||||
"""
|
||||
Handle request to remove file shared link.
|
||||
"""
|
||||
token = request.GET.get('t')
|
||||
|
||||
FileShare.objects.filter(token=token).delete()
|
||||
next = request.META.get('HTTP_REFERER', None)
|
||||
if not next:
|
||||
next = reverse('share_admin')
|
||||
|
||||
messages.success(request, _(u'Removed successfully'))
|
||||
|
||||
return HttpResponseRedirect(next)
|
||||
|
||||
|
||||
@login_required_ajax
|
||||
def ajax_remove_shared_link(request):
|
||||
|
||||
username = request.user.username
|
||||
content_type = 'application/json; charset=utf-8'
|
||||
result = {}
|
||||
|
||||
token = request.GET.get('t')
|
||||
|
||||
if not token:
|
||||
result = {'error': _(u"Argument missing")}
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
try:
|
||||
link = FileShare.objects.get(token=token)
|
||||
link.delete()
|
||||
result = {'success': True}
|
||||
return HttpResponse(json.dumps(result), content_type=content_type)
|
||||
except:
|
||||
except FileShare.DoesNotExist:
|
||||
result = {'error': _(u"The link doesn't exist")}
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
if not link.is_owner(username):
|
||||
result = {'error': _("Permission denied")}
|
||||
return HttpResponse(json.dumps(result), status=403,
|
||||
content_type=content_type)
|
||||
|
||||
@login_required
|
||||
def remove_shared_upload_link(request):
|
||||
"""
|
||||
Handle request to remove shared upload link.
|
||||
"""
|
||||
token = request.GET.get('t')
|
||||
|
||||
UploadLinkShare.objects.filter(token=token).delete()
|
||||
next = request.META.get('HTTP_REFERER', None)
|
||||
if not next:
|
||||
next = reverse('share_admin')
|
||||
|
||||
messages.success(request, _(u'Removed successfully'))
|
||||
|
||||
return HttpResponseRedirect(next)
|
||||
link.delete()
|
||||
result = {'success': True}
|
||||
return HttpResponse(json.dumps(result), content_type=content_type)
|
||||
|
||||
|
||||
@login_required_ajax
|
||||
def ajax_remove_shared_upload_link(request):
|
||||
|
||||
username = request.user.username
|
||||
content_type = 'application/json; charset=utf-8'
|
||||
result = {}
|
||||
|
||||
@@ -937,12 +908,17 @@ def ajax_remove_shared_upload_link(request):
|
||||
|
||||
try:
|
||||
upload_link = UploadLinkShare.objects.get(token=token)
|
||||
except UploadLinkShare.DoesNotExist:
|
||||
result = {'error': _(u"The link doesn't exist")}
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
if not upload_link.is_owner(username):
|
||||
result = {'error': _("Permission denied")}
|
||||
return HttpResponse(json.dumps(result), status=403,
|
||||
content_type=content_type)
|
||||
upload_link.delete()
|
||||
result = {'success': True}
|
||||
return HttpResponse(json.dumps(result), content_type=content_type)
|
||||
except:
|
||||
result = {'error': _(u"The link doesn't exist")}
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
|
||||
@login_required_ajax
|
||||
@@ -1075,6 +1051,14 @@ def gen_private_file_share(request, repo_id):
|
||||
file_or_dir = os.path.basename(path.rstrip('/'))
|
||||
username = request.user.username
|
||||
|
||||
next = request.META.get('HTTP_REFERER', None)
|
||||
if not next:
|
||||
next = SITE_ROOT
|
||||
|
||||
if not check_folder_permission(request, repo_id, file_or_dir):
|
||||
messages.error(request, _('Permission denied'))
|
||||
return HttpResponseRedirect(next)
|
||||
|
||||
for email in [e.strip() for e in emails if e.strip()]:
|
||||
if not is_valid_username(email):
|
||||
continue
|
||||
@@ -1096,9 +1080,6 @@ def gen_private_file_share(request, repo_id):
|
||||
share_file_to_user_successful.send(sender=None, priv_share_obj=pfds)
|
||||
messages.success(request, _('Successfully shared %s.') % file_or_dir)
|
||||
|
||||
next = request.META.get('HTTP_REFERER', None)
|
||||
if not next:
|
||||
next = SITE_ROOT
|
||||
return HttpResponseRedirect(next)
|
||||
|
||||
@login_required
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
<td>{{ publink.ctime|translate_seahub_time }} </td>
|
||||
<td>{{ publink.view_cnt }}</td>
|
||||
<td>
|
||||
<a class="op-icon vh" href="{% url 'remove_shared_link' %}?t={{ publink.token }}" title="{% trans "Remove" %}">
|
||||
<a class="op-icon vh" href="{% url 'sys_publink_remove' %}?t={{ publink.token }}" title="{% trans "Remove" %}">
|
||||
<img src="{{MEDIA_URL}}img/rm.png" alt="" />
|
||||
</a>
|
||||
</td>
|
||||
|
||||
@@ -161,7 +161,7 @@
|
||||
<td>{% trans "Download" %}</td>
|
||||
<td>{{ link.view_cnt }}</td>
|
||||
<td>
|
||||
<a class="op vh" href="{% url 'remove_shared_link' %}?t={{ link.token }}">{% trans "Remove"%}</a>
|
||||
<a class="op vh" href="{% url 'sys_publink_remove' %}?t={{ link.token }}">{% trans "Remove"%}</a>
|
||||
</td>
|
||||
{% else %}
|
||||
<td class="alc"><img src="{{ MEDIA_URL }}img/folder-icon-24.png" alt="{% trans "Directory icon"%}" /></td>
|
||||
@@ -170,7 +170,7 @@
|
||||
<td>{% trans "Upload" %}</td>
|
||||
<td>{{ link.view_cnt }}</td>
|
||||
<td>
|
||||
<a class="op vh" href="{% url 'remove_shared_upload_link' %}?t={{ link.token }}">{% trans "Remove"%}</a>
|
||||
<a class="op vh" href="{% url 'sys_upload_link_remove' %}?t={{ link.token }}">{% trans "Remove"%}</a>
|
||||
</td>
|
||||
{% endif %}
|
||||
</tr>
|
||||
|
||||
@@ -231,6 +231,8 @@ urlpatterns = patterns(
|
||||
url(r'^sys/orgadmin/(?P<org_id>\d+)/library/$', sys_org_info_library, name='sys_org_info_library'),
|
||||
url(r'^sys/orgadmin/(?P<org_id>\d+)/setting/$', sys_org_info_setting, name='sys_org_info_setting'),
|
||||
url(r'^sys/publinkadmin/$', sys_publink_admin, name='sys_publink_admin'),
|
||||
url(r'^sys/publink/remove/$', sys_publink_remove, name='sys_publink_remove'),
|
||||
url(r'^sys/uploadlink/remove/$', sys_upload_link_remove, name='sys_upload_link_remove'),
|
||||
url(r'^sys/notificationadmin/', notification_list, name='notification_list'),
|
||||
url(r'^sys/sudo/', sys_sudo_mode, name='sys_sudo_mode'),
|
||||
url(r'^useradmin/add/$', user_add, name="user_add"),
|
||||
|
||||
@@ -1511,6 +1511,36 @@ def sys_publink_admin(request):
|
||||
},
|
||||
context_instance=RequestContext(request))
|
||||
|
||||
@login_required
|
||||
@sys_staff_required
|
||||
def sys_publink_remove(request):
|
||||
"""Remove share links.
|
||||
"""
|
||||
token = request.GET.get('t')
|
||||
|
||||
FileShare.objects.filter(token=token).delete()
|
||||
next = request.META.get('HTTP_REFERER', None)
|
||||
if not next:
|
||||
next = reverse('share_admin')
|
||||
|
||||
messages.success(request, _(u'Removed successfully'))
|
||||
return HttpResponseRedirect(next)
|
||||
|
||||
@login_required
|
||||
@sys_staff_required
|
||||
def sys_upload_link_remove(request):
|
||||
"""Remove shared upload links.
|
||||
"""
|
||||
token = request.GET.get('t')
|
||||
|
||||
UploadLinkShare.objects.filter(token=token).delete()
|
||||
next = request.META.get('HTTP_REFERER', None)
|
||||
if not next:
|
||||
next = reverse('share_admin')
|
||||
|
||||
messages.success(request, _(u'Removed successfully'))
|
||||
return HttpResponseRedirect(next)
|
||||
|
||||
@login_required
|
||||
@sys_staff_required
|
||||
def user_search(request):
|
||||
|
||||
Reference in New Issue
Block a user