update permission check logic when view lib (#4685)

Co-authored-by: lian <lian@seafile.com>
2025-08-31 06:34:40 +00:00 · 2020-09-29 11:23:56 +08:00
parent 0c10f4a9f7
commit 3474e0f6fa
1 changed files with 42 additions and 5 deletions
--- a/seahub/views/init.py
+++ b/seahub/views/init.py
@@ -9,7 +9,7 @@ import logging
 import posixpath

 from django.core.cache import cache
-from django.core.urlresolvers import reverse
+from django.core.urlresolvers import reverse, resolve
 from django.contrib import messages
 from django.http import HttpResponse, Http404, \
    HttpResponseRedirect
@@ -1119,10 +1119,47 @@ def choose_register(request):
        'login_bg_image_path': login_bg_image_path
    })

+
@login_required
 def react_fake_view(request, **kwargs):

    username = request.user.username
+
+    if resolve(request.path).url_name == 'lib_view':
+
+        repo_id = kwargs.get('repo_id', '')
+        path = kwargs.get('path', '')
+
+        if repo_id and path and \
+                not check_folder_permission(request, repo_id, path):
+
+            converted_repo_path = seafile_api.convert_repo_path(repo_id, path, username)
+            if not converted_repo_path:
+                error_msg = 'Permission denied.'
+                return render_error(request, error_msg)
+
+            repo_path_dict = json.loads(converted_repo_path)
+
+            converted_repo_id = repo_path_dict['repo_id']
+            converted_repo = seafile_api.get_repo(converted_repo_id)
+            if not converted_repo:
+                error_msg = 'Library %s not found.' % converted_repo_id
+                return render_error(request, error_msg)
+
+            converted_path = repo_path_dict['path']
+            if not seafile_api.get_dirent_by_path(converted_repo_id, converted_path):
+                error_msg = 'Dirent %s not found.' % converted_path
+                return render_error(request, error_msg)
+
+            if not check_folder_permission(request, converted_repo_id, converted_path):
+                error_msg = 'Permission denied.'
+                return render_error(request, error_msg)
+
+            next_url = reverse('lib_view', args=[converted_repo_id,
+                                                 converted_repo.repo_name,
+                                                 converted_path.strip('/')])
+            return HttpResponseRedirect(next_url)
+
    guide_enabled = UserOptions.objects.is_user_guide_enabled(username)
    if guide_enabled:
        create_default_library(request)