haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-07-11 14:13:56 +00:00
Code Issues Releases Wiki Activity

improve edit file_comment permission

Browse Source
This commit is contained in:
王健辉 2022-03-10 12:14:12 +08:00
parent b38decd94e
commit 4835a0ba49
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
seahub/api2/endpoints/file_comment.py
View File

@ -29,12 +29,16 @@ class FileCommentView(APIView):
def get(self, request, repo_id, comment_id, format=None): def get(self, request, repo_id, comment_id, format=None):
"""Get a comment. """Get a comment.
""" """
# resource check
try: try:
file_comment = FileComment.objects.get(pk=comment_id) file_comment = FileComment.objects.get(pk=comment_id)
except FileComment.DoesNotExist: except FileComment.DoesNotExist:
return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id') return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
# permission check # permission check
if file_comment.uuid.repo_id != repo_id:
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
if check_folder_permission(request, repo_id, '/') is None: if check_folder_permission(request, repo_id, '/') is None:
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
try: try:
@ -53,11 +57,16 @@ class FileCommentView(APIView):
"""Delete a comment, only comment author or repo owner can perform """Delete a comment, only comment author or repo owner can perform
this op. this op.
""" """
# resource check
try: try:
file_comment = FileComment.objects.get(pk=comment_id) file_comment = FileComment.objects.get(pk=comment_id)
except FileComment.DoesNotExist: except FileComment.DoesNotExist:
return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id') return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
# permission check
if file_comment.uuid.repo_id != repo_id:
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
username = request.user.username username = request.user.username
if username != file_comment.author and not is_repo_owner(request, repo_id, username): if username != file_comment.author and not is_repo_owner(request, repo_id, username):
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
@ -67,7 +76,7 @@ class FileCommentView(APIView):
return Response(status=204) return Response(status=204)
def put(self, request, repo_id, comment_id, format=None): def put(self, request, repo_id, comment_id, format=None):
"""Update a comment, only comment author or repo owner can perform """Update a comment, only comment author can perform
this op this op
1.Change resolved of comment 1.Change resolved of comment
2.Add comment_detail 2.Add comment_detail
@ -88,7 +97,12 @@ class FileCommentView(APIView):
return api_error(status.HTTP_404_NOT_FOUND, error_msg) return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# permission check # permission check
if check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE: if file_comment.uuid.repo_id != repo_id:
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
username = request.user.username
if username != file_comment.author or \
not check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE:
error_msg = 'Permission denied.' error_msg = 'Permission denied.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg) return api_error(status.HTTP_403_FORBIDDEN, error_msg)