From 5e20cd58fa794f1bbc3bab71ea400a17233467c5 Mon Sep 17 00:00:00 2001
From: zhengxie <xiez1989@gmail.com>
Date: Sat, 17 Jun 2017 15:49:45 +0800
Subject: [PATCH] Update share file permissions

---
 seahub/views/file.py                           | 12 ++++++++++++
 .../file/test_view_file_via_shared_dir.py      | 11 +++++++++++
 .../seahub/views/file/test_view_shared_file.py | 18 ++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/seahub/views/file.py b/seahub/views/file.py
index 4bf2298006..2c19adff21 100644
--- a/seahub/views/file.py
+++ b/seahub/views/file.py
@@ -831,6 +831,9 @@ def view_shared_file(request, fileshare):
     # send statistic messages
     file_size = seafile_api.get_file_size(repo.store_id, repo.version, obj_id)
     if request.GET.get('dl', '') == '1':
+        if fileshare.get_permissions()['can_download'] is False:
+            raise Http404
+
         # download shared file
         return _download_file_from_share_link(request, fileshare)
 
@@ -839,6 +842,9 @@ def view_shared_file(request, fileshare):
                                                            use_onetime=False)
     raw_path = gen_file_get_url(access_token, filename)
     if request.GET.get('raw', '') == '1':
+        if fileshare.get_permissions()['can_download'] is False:
+            raise Http404
+
         # check whether owner's traffic over the limit
         if user_traffic_over_limit(shared_by):
             messages.error(request, _(u'Unable to view raw file, share link traffic is used up.'))
@@ -974,6 +980,9 @@ def view_file_via_shared_dir(request, fileshare):
                                   context_instance=RequestContext(request))
 
     if request.GET.get('dl', '') == '1':
+        if fileshare.get_permissions()['can_download'] is False:
+            raise Http404
+
         # download shared file
         return _download_file_from_share_link(request, fileshare)
 
@@ -999,6 +1008,9 @@ def view_file_via_shared_dir(request, fileshare):
 
     filename = os.path.basename(req_path)
     if request.GET.get('raw', '0') == '1':
+        if fileshare.get_permissions()['can_download'] is False:
+            raise Http404
+
         username = request.user.username
         token = seafile_api.get_fileserver_access_token(repo_id,
             obj_id, 'view', username, use_onetime=True)
diff --git a/tests/seahub/views/file/test_view_file_via_shared_dir.py b/tests/seahub/views/file/test_view_file_via_shared_dir.py
index 0857c4e479..21b11be58d 100644
--- a/tests/seahub/views/file/test_view_file_via_shared_dir.py
+++ b/tests/seahub/views/file/test_view_file_via_shared_dir.py
@@ -82,3 +82,14 @@ class ViewFileViaSharedDirTest(TestCase, Fixtures):
         resp = self.client.get(dl_url)
         self.assertEqual(302, resp.status_code)
         assert '8082/files/' in resp.get('location')
+
+    def test_can_not_download_viewonly(self):
+        assert self.fs.get_permissions()['can_download'] is True
+        self.fs.permission = FileShare.PERM_VIEW_ONLY
+        self.fs.save()
+        assert self.fs.get_permissions()['can_download'] is False
+
+        dl_url = reverse('view_file_via_shared_dir', args=[self.fs.token]) + \
+            '?p=%s&dl=1' % self.file
+        resp = self.client.get(dl_url)
+        self.assertEqual(404, resp.status_code)
diff --git a/tests/seahub/views/file/test_view_shared_file.py b/tests/seahub/views/file/test_view_shared_file.py
index 3f6ade6608..02db2038cc 100644
--- a/tests/seahub/views/file/test_view_shared_file.py
+++ b/tests/seahub/views/file/test_view_shared_file.py
@@ -46,6 +46,15 @@ class ViewSharedFileTest(TestCase, Fixtures):
         self.assertEqual(302, resp.status_code)
         assert '8082/files/' in resp.get('location')
 
+    def test_can_not_download_viewonly(self):
+        assert self.fs.get_permissions()['can_download'] is True
+        self.fs.permission = FileShare.PERM_VIEW_ONLY
+        self.fs.save()
+        assert self.fs.get_permissions()['can_download'] is False
+        dl_url = reverse('view_shared_file', args=[self.fs.token]) + '?dl=1'
+        resp = self.client.get(dl_url)
+        self.assertEqual(404, resp.status_code)
+
     def test_dl_link_can_use_more_times(self):
         dl_url = reverse('view_shared_file', args=[self.fs.token]) + '?dl=1'
         resp = self.client.get(dl_url)
@@ -64,6 +73,15 @@ class ViewSharedFileTest(TestCase, Fixtures):
         self.assertEqual(302, resp.status_code)
         assert '8082/files/' in resp.get('location')
 
+    def test_can_not_view_raw_viewonly(self):
+        assert self.fs.get_permissions()['can_download'] is True
+        self.fs.permission = FileShare.PERM_VIEW_ONLY
+        self.fs.save()
+        assert self.fs.get_permissions()['can_download'] is False
+        dl_url = reverse('view_shared_file', args=[self.fs.token]) + '?raw=1'
+        resp = self.client.get(dl_url)
+        self.assertEqual(404, resp.status_code)
+
     def test_view_count(self):
         """Issue https://github.com/haiwen/seahub/issues/742
         """