Update internal_api.py (#8304)

2025-10-20 10:20:42 +00:00 · 2025-10-13 18:07:41 +08:00
parent 070e855738
commit 83fbfdaeee
1 changed files with 21 additions and 8 deletions
--- a/seahub/api2/endpoints/internal_api.py
+++ b/seahub/api2/endpoints/internal_api.py
@@ -1,5 +1,6 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
 import logging
+import os
 from rest_framework import status
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -13,7 +14,8 @@ from seahub.repo_api_tokens.models import RepoAPITokens
 from seahub.share.models import UploadLinkShare, FileShare, check_share_link_access, check_share_link_access_by_scope
 from seaserv import seafile_api
 from seahub.utils.repo import parse_repo_perm
-from seahub.views.file import send_file_access_msg
+from seahub.views.file import send_file_access_msg, FILE_TYPE_FOR_NEW_FILE_LINK
+from seahub.utils import normalize_file_path, get_file_type_and_ext

 logger = logging.getLogger(__name__)

@@ -26,7 +28,6 @@ AVAILABLE_OPS = [


 class InternalUserListView(APIView):
-   
    throttle_classes = (UserRateThrottle, )
    
    def post(self, request):
@@ -146,6 +147,7 @@ class InternalCheckFileOperationAccess(APIView):
            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
        
        file_path = request.data.get('path', '/')
+        file_path = normalize_file_path(file_path)
        repo = seafile_api.get_repo(repo_id)
        if not repo:
            return api_error(status.HTTP_404_NOT_FOUND, 'Library %s not found.' % repo_id)
@@ -154,7 +156,16 @@ class InternalCheckFileOperationAccess(APIView):
        if not file_id:
            error_msg = 'File not found'
            return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
-        
+
+        filename = os.path.basename(file_path)
+        filetype, ext = get_file_type_and_ext(filename)
+
+        # The download permission can be ignored when the permission check
+        # called from seaf-server for some file types such as video, markdown and pdf
+        # which is viewed / downloaded directly by requesting seaf-server.
+
+        ignore_download_perms = filetype in FILE_TYPE_FOR_NEW_FILE_LINK
+
        token = request.data.get('token') # account token or repo token
        ip_addr = request.data.get('ip_addr')
        user_agent = request.data.get('user_agent')
@@ -171,13 +182,15 @@ class InternalCheckFileOperationAccess(APIView):
        if username:
            op_perms = parse_repo_perm(seafile_api.check_permission_by_path(
                        repo_id, '/', username))
-            
-            if op == OP_DOWNLOAD and not op_perms.can_download:
-                error_msg = 'Permission denied.'
-                return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
+
+            if op == OP_DOWNLOAD:
+                if not (ignore_download_perms or op_perms.can_download):
+                    error_msg = 'Permission denied.'
+                    return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+                
            if op == OP_UPLOAD and not op_perms.can_upload:
                error_msg = 'Permission denied.'
-                return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
+                return api_error(status.HTTP_403_FORBIDDEN, error_msg)
            
            send_file_access_msg(request, repo, file_path, 'web', custom_ip=ip_addr, custom_agent=user_agent)
            return Response({'user': username})