From 83fbfdaeeec5f6e36e38f7ed84f39dc3c6a05861 Mon Sep 17 00:00:00 2001 From: Ranjiwei <32759763+r350178982@users.noreply.github.com> Date: Mon, 13 Oct 2025 18:07:41 +0800 Subject: [PATCH] Update internal_api.py (#8304) --- seahub/api2/endpoints/internal_api.py | 29 +++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/seahub/api2/endpoints/internal_api.py b/seahub/api2/endpoints/internal_api.py index 2e49777c40..f32aca94ab 100644 --- a/seahub/api2/endpoints/internal_api.py +++ b/seahub/api2/endpoints/internal_api.py @@ -1,5 +1,6 @@ # Copyright (c) 2012-2016 Seafile Ltd. import logging +import os from rest_framework import status from rest_framework.response import Response from rest_framework.views import APIView @@ -13,7 +14,8 @@ from seahub.repo_api_tokens.models import RepoAPITokens from seahub.share.models import UploadLinkShare, FileShare, check_share_link_access, check_share_link_access_by_scope from seaserv import seafile_api from seahub.utils.repo import parse_repo_perm -from seahub.views.file import send_file_access_msg +from seahub.views.file import send_file_access_msg, FILE_TYPE_FOR_NEW_FILE_LINK +from seahub.utils import normalize_file_path, get_file_type_and_ext logger = logging.getLogger(__name__) @@ -26,7 +28,6 @@ AVAILABLE_OPS = [ class InternalUserListView(APIView): - throttle_classes = (UserRateThrottle, ) def post(self, request): @@ -146,6 +147,7 @@ class InternalCheckFileOperationAccess(APIView): return api_error(status.HTTP_403_FORBIDDEN, error_msg) file_path = request.data.get('path', '/') + file_path = normalize_file_path(file_path) repo = seafile_api.get_repo(repo_id) if not repo: return api_error(status.HTTP_404_NOT_FOUND, 'Library %s not found.' % repo_id) @@ -154,7 +156,16 @@ class InternalCheckFileOperationAccess(APIView): if not file_id: error_msg = 'File not found' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) - + + filename = os.path.basename(file_path) + filetype, ext = get_file_type_and_ext(filename) + + # The download permission can be ignored when the permission check + # called from seaf-server for some file types such as video, markdown and pdf + # which is viewed / downloaded directly by requesting seaf-server. + + ignore_download_perms = filetype in FILE_TYPE_FOR_NEW_FILE_LINK + token = request.data.get('token') # account token or repo token ip_addr = request.data.get('ip_addr') user_agent = request.data.get('user_agent') @@ -171,13 +182,15 @@ class InternalCheckFileOperationAccess(APIView): if username: op_perms = parse_repo_perm(seafile_api.check_permission_by_path( repo_id, '/', username)) - - if op == OP_DOWNLOAD and not op_perms.can_download: - error_msg = 'Permission denied.' - return api_error(status.HTTP_400_BAD_REQUEST, error_msg) + + if op == OP_DOWNLOAD: + if not (ignore_download_perms or op_perms.can_download): + error_msg = 'Permission denied.' + return api_error(status.HTTP_403_FORBIDDEN, error_msg) + if op == OP_UPLOAD and not op_perms.can_upload: error_msg = 'Permission denied.' - return api_error(status.HTTP_400_BAD_REQUEST, error_msg) + return api_error(status.HTTP_403_FORBIDDEN, error_msg) send_file_access_msg(request, repo, file_path, 'web', custom_ip=ip_addr, custom_agent=user_agent) return Response({'user': username})