mirror of
https://github.com/haiwen/seahub.git
synced 2025-07-11 14:13:56 +00:00
improve edit file_comment permission
This commit is contained in:
parent
b38decd94e
commit
4835a0ba49
@ -29,12 +29,16 @@ class FileCommentView(APIView):
|
|||||||
def get(self, request, repo_id, comment_id, format=None):
|
def get(self, request, repo_id, comment_id, format=None):
|
||||||
"""Get a comment.
|
"""Get a comment.
|
||||||
"""
|
"""
|
||||||
|
# resource check
|
||||||
try:
|
try:
|
||||||
file_comment = FileComment.objects.get(pk=comment_id)
|
file_comment = FileComment.objects.get(pk=comment_id)
|
||||||
except FileComment.DoesNotExist:
|
except FileComment.DoesNotExist:
|
||||||
return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
|
return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
|
||||||
|
|
||||||
# permission check
|
# permission check
|
||||||
|
if file_comment.uuid.repo_id != repo_id:
|
||||||
|
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
|
||||||
|
|
||||||
if check_folder_permission(request, repo_id, '/') is None:
|
if check_folder_permission(request, repo_id, '/') is None:
|
||||||
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
|
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
|
||||||
try:
|
try:
|
||||||
@ -53,11 +57,16 @@ class FileCommentView(APIView):
|
|||||||
"""Delete a comment, only comment author or repo owner can perform
|
"""Delete a comment, only comment author or repo owner can perform
|
||||||
this op.
|
this op.
|
||||||
"""
|
"""
|
||||||
|
# resource check
|
||||||
try:
|
try:
|
||||||
file_comment = FileComment.objects.get(pk=comment_id)
|
file_comment = FileComment.objects.get(pk=comment_id)
|
||||||
except FileComment.DoesNotExist:
|
except FileComment.DoesNotExist:
|
||||||
return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
|
return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
|
||||||
|
|
||||||
|
# permission check
|
||||||
|
if file_comment.uuid.repo_id != repo_id:
|
||||||
|
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
|
||||||
|
|
||||||
username = request.user.username
|
username = request.user.username
|
||||||
if username != file_comment.author and not is_repo_owner(request, repo_id, username):
|
if username != file_comment.author and not is_repo_owner(request, repo_id, username):
|
||||||
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
|
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
|
||||||
@ -67,7 +76,7 @@ class FileCommentView(APIView):
|
|||||||
return Response(status=204)
|
return Response(status=204)
|
||||||
|
|
||||||
def put(self, request, repo_id, comment_id, format=None):
|
def put(self, request, repo_id, comment_id, format=None):
|
||||||
"""Update a comment, only comment author or repo owner can perform
|
"""Update a comment, only comment author can perform
|
||||||
this op
|
this op
|
||||||
1.Change resolved of comment
|
1.Change resolved of comment
|
||||||
2.Add comment_detail
|
2.Add comment_detail
|
||||||
@ -88,7 +97,12 @@ class FileCommentView(APIView):
|
|||||||
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
|
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
|
||||||
|
|
||||||
# permission check
|
# permission check
|
||||||
if check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE:
|
if file_comment.uuid.repo_id != repo_id:
|
||||||
|
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
|
||||||
|
|
||||||
|
username = request.user.username
|
||||||
|
if username != file_comment.author or \
|
||||||
|
not check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE:
|
||||||
error_msg = 'Permission denied.'
|
error_msg = 'Permission denied.'
|
||||||
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
|
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user