haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-09-02 07:27:04 +00:00
Code Issues Releases Wiki Activity

update remove folder permission

Browse Source 
not check path existence when delete user/group folder permission
This commit is contained in:
lian
2017-01-13 16:54:38 +08:00
parent 6d04da2b0d
commit 2ecae4162b
3 changed files with 73 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
seahub/api2/views.py
View File

@@ -4415,26 +4415,54 @@ class RepoUserFolderPerm(APIView):
error_msg = 'Internal Server Error' error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
@api_repo_user_folder_perm_check
def delete(self, request, repo_id, format=None): def delete(self, request, repo_id, format=None):
if not (is_pro_version() and ENABLE_FOLDER_PERM): # argument check
user = request.data.get('user_email', None)
path = request.data.get('folder_path', None)
if not user:
error_msg = 'user_email invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if not path:
error_msg = 'folder_path invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# resource check
repo = seafile_api.get_repo(repo_id)
if not repo:
error_msg = 'Library %s not found.' % repo_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
try:
User.objects.get(email=user)
except User.DoesNotExist:
error_msg = 'User %s not found.' % user
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# permission check
if is_org_context(request):
repo_owner = seafile_api.get_org_repo_owner(repo_id)
else:
repo_owner = seafile_api.get_repo_owner(repo_id)
username = request.user.username
if not (is_pro_version() and ENABLE_FOLDER_PERM) or \
repo.is_virtual or username != repo_owner:
error_msg = 'Permission denied.' error_msg = 'Permission denied.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg) return api_error(status.HTTP_403_FORBIDDEN, error_msg)
user = request.data.get('user_email') # delete permission
path = request.data.get('folder_path')
path = path.rstrip('/') if path != '/' else path path = path.rstrip('/') if path != '/' else path
permission = seafile_api.get_folder_user_perm(repo_id, path, user) permission = seafile_api.get_folder_user_perm(repo_id, path, user)
if not permission: if not permission:
return Response({'success': True}) return Response({'success': True})
username = request.user.username
try: try:
seafile_api.rm_folder_user_perm(repo_id, path, user) seafile_api.rm_folder_user_perm(repo_id, path, user)
send_perm_audit_msg('delete-repo-perm', username, send_perm_audit_msg('delete-repo-perm', username,
user, repo_id, path, permission) user, repo_id, path, permission)
return Response({'success': True}) return Response({'success': True})
except SearpcError as e: except SearpcError as e:
logger.error(e) logger.error(e)
@@ -4541,23 +4569,54 @@ class RepoGroupFolderPerm(APIView):
error_msg = 'Internal Server Error' error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
@api_repo_group_folder_perm_check
def delete(self, request, repo_id, format=None): def delete(self, request, repo_id, format=None):
if not (is_pro_version() and ENABLE_FOLDER_PERM): # arguments check
group_id = request.data.get('group_id', None)
path = request.data.get('folder_path', None)
if not group_id:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if not path:
error_msg = 'folder_path invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
group_id = int(group_id)
except ValueError:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# resource check
if not ccnet_api.get_group(group_id):
error_msg = 'Group %s not found.' % group_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
repo = seafile_api.get_repo(repo_id)
if not repo:
error_msg = 'Library %s not found.' % repo_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# permission check
if is_org_context(request):
repo_owner = seafile_api.get_org_repo_owner(repo_id)
else:
repo_owner = seafile_api.get_repo_owner(repo_id)
username = request.user.username
if not (is_pro_version() and ENABLE_FOLDER_PERM) or \
repo.is_virtual or username != repo_owner:
error_msg = 'Permission denied.' error_msg = 'Permission denied.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg) return api_error(status.HTTP_403_FORBIDDEN, error_msg)
group_id = request.data.get('group_id') # delete permission
path = request.data.get('folder_path')
group_id = int(group_id)
path = path.rstrip('/') if path != '/' else path path = path.rstrip('/') if path != '/' else path
permission = seafile_api.get_folder_group_perm(repo_id, path, group_id) permission = seafile_api.get_folder_group_perm(repo_id, path, group_id)
if not permission: if not permission:
return Response({'success': True}) return Response({'success': True})
username = request.user.username
try: try:
seafile_api.rm_folder_group_perm(repo_id, path, group_id) seafile_api.rm_folder_group_perm(repo_id, path, group_id)
send_perm_audit_msg('delete-repo-perm', username, group_id, send_perm_audit_msg('delete-repo-perm', username, group_id,

27
tests/api/test_repo_group_folder_perm.py
View File

@@ -180,33 +180,6 @@ class RepoGroupFolderPermTest(BaseTestCase):
resp = self.client.delete(url, data, 'application/x-www-form-urlencoded') resp = self.client.delete(url, data, 'application/x-www-form-urlencoded')
self.assertEqual(403, resp.status_code) self.assertEqual(403, resp.status_code)
def test_invalid_path(self):
self.login_as(self.user)
invalid_path = randstring(6)
# test delete
url = reverse("api2-repo-group-folder-perm", args=[self.user_repo_id])
data = 'group_id=%s&folder_path=%s' % (self.group_id, invalid_path)
resp = self.client.delete(url, data, 'application/x-www-form-urlencoded')
self.assertEqual(404, resp.status_code)
# test modify
url = reverse("api2-repo-group-folder-perm", args=[self.user_repo_id])
data = 'group_id=%s&folder_path=%s&permission=%s' % (self.group_id, invalid_path, self.perm_rw)
resp = self.client.put(url, data, 'application/x-www-form-urlencoded')
self.assertEqual(404, resp.status_code)
# test add
url = reverse("api2-repo-group-folder-perm", args=[self.user_repo_id])
data = {
"group_id": self.group_id,
"folder_path": invalid_path,
"permission": self.perm_rw
}
resp = self.client.post(url, data)
self.assertEqual(404, resp.status_code)
def test_invalid_group(self): def test_invalid_group(self):
self.login_as(self.user) self.login_as(self.user)

27
tests/api/test_repo_user_folder_perm.py
View File

@@ -179,33 +179,6 @@ class RepoUserFolderPermTest(BaseTestCase):
resp = self.client.delete(url, data, 'application/x-www-form-urlencoded') resp = self.client.delete(url, data, 'application/x-www-form-urlencoded')
self.assertEqual(403, resp.status_code) self.assertEqual(403, resp.status_code)
def test_invalid_path(self):
self.login_as(self.user)
invalid_path = randstring(6)
# test add
url = reverse("api2-repo-user-folder-perm", args=[self.user_repo_id])
data = {
"user_email": self.admin_email,
"folder_path": invalid_path,
"permission": self.perm_rw
}
resp = self.client.post(url, data)
self.assertEqual(404, resp.status_code)
# test modify
url = reverse("api2-repo-user-folder-perm", args=[self.user_repo_id])
data = 'user_email=%s&folder_path=%s&permission=%s' % (self.admin_email, invalid_path, self.perm_rw)
resp = self.client.put(url, data, 'application/x-www-form-urlencoded')
self.assertEqual(404, resp.status_code)
# test delete
url = reverse("api2-repo-user-folder-perm", args=[self.user_repo_id])
data = 'user_email=%s&folder_path=%s' % (self.admin_email, invalid_path)
resp = self.client.delete(url, data, 'application/x-www-form-urlencoded')
self.assertEqual(404, resp.status_code)
def test_invalid_user(self): def test_invalid_user(self):
self.login_as(self.user) self.login_as(self.user)