From 2411e296c20382af98d2372d4c5e70892fb39e11 Mon Sep 17 00:00:00 2001
From: lian <imwhatiam123@gmail.com>
Date: Thu, 15 Oct 2015 15:15:43 +0800
Subject: [PATCH] check folder permission before set user/group perm

---
 seahub/views/ajax.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py
index 1faf96a9ac..db4104f072 100644
--- a/seahub/views/ajax.py
+++ b/seahub/views/ajax.py
@@ -2362,6 +2362,10 @@ def set_user_folder_perm(request, repo_id):
         return HttpResponse(json.dumps({"error": _('Library does not exist')}),
                             status=400, content_type=content_type)
 
+    if check_folder_permission(request, repo_id, path) != 'rw':
+        return HttpResponse(json.dumps({"error": _('Permission denied')}),
+                            status=403, content_type=content_type)
+
     if is_org_context(request):
         repo_owner = seafile_api.get_org_repo_owner(repo_id)
     else:
@@ -2504,6 +2508,10 @@ def set_group_folder_perm(request, repo_id):
         return HttpResponse(json.dumps({"error": _('Library does not exist')}),
                             status=400, content_type=content_type)
 
+    if check_folder_permission(request, repo_id, path) != 'rw':
+        return HttpResponse(json.dumps({"error": _('Permission denied')}),
+                            status=403, content_type=content_type)
+
     if is_org_context(request):
         repo_owner = seafile_api.get_org_repo_owner(repo_id)
     else: