From 4835a0ba497935b979cf47d2bc96aaeb852f81fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E5=81=A5=E8=BE=89?= <40563566+mrwangjianhui@users.noreply.github.com> Date: Thu, 10 Mar 2022 12:14:12 +0800 Subject: [PATCH] improve edit file_comment permission --- seahub/api2/endpoints/file_comment.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/seahub/api2/endpoints/file_comment.py b/seahub/api2/endpoints/file_comment.py index 08bd27564b..395f230ccc 100644 --- a/seahub/api2/endpoints/file_comment.py +++ b/seahub/api2/endpoints/file_comment.py @@ -29,12 +29,16 @@ class FileCommentView(APIView): def get(self, request, repo_id, comment_id, format=None): """Get a comment. """ + # resource check try: file_comment = FileComment.objects.get(pk=comment_id) except FileComment.DoesNotExist: return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id') # permission check + if file_comment.uuid.repo_id != repo_id: + return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') + if check_folder_permission(request, repo_id, '/') is None: return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') try: @@ -53,11 +57,16 @@ class FileCommentView(APIView): """Delete a comment, only comment author or repo owner can perform this op. """ + # resource check try: file_comment = FileComment.objects.get(pk=comment_id) except FileComment.DoesNotExist: return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id') + # permission check + if file_comment.uuid.repo_id != repo_id: + return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') + username = request.user.username if username != file_comment.author and not is_repo_owner(request, repo_id, username): return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') @@ -67,7 +76,7 @@ class FileCommentView(APIView): return Response(status=204) def put(self, request, repo_id, comment_id, format=None): - """Update a comment, only comment author or repo owner can perform + """Update a comment, only comment author can perform this op 1.Change resolved of comment 2.Add comment_detail @@ -88,7 +97,12 @@ class FileCommentView(APIView): return api_error(status.HTTP_404_NOT_FOUND, error_msg) # permission check - if check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE: + if file_comment.uuid.repo_id != repo_id: + return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') + + username = request.user.username + if username != file_comment.author or \ + not check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE: error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg)