haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-09-08 02:10:24 +00:00
Code Issues Releases Wiki Activity

add is_dir_downloadable check when download folder (#4590)

Browse Source 
Co-authored-by: lian <lian@seafile.com>
This commit is contained in:
lian
2020-06-18 14:25:47 +08:00
committed by GitHub
parent 389f8befee
commit 8fcfe292dc
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
seahub/api2/endpoints/zip_task.py
View File

@@ -72,7 +72,13 @@ class ZipTaskView(APIView):
return api_error(status.HTTP_404_NOT_FOUND, error_msg) return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# permission check # permission check
if not check_folder_permission(request, repo_id, parent_dir): repo_folder_permission = check_folder_permission(request, repo_id, parent_dir)
if not repo_folder_permission:
error_msg = 'Permission denied.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if not json.loads(seafile_api.is_dir_downloadable(repo_id, parent_dir,
request.user.username, repo_folder_permission))['is_downloadable']:
error_msg = 'Permission denied.' error_msg = 'Permission denied.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg) return api_error(status.HTTP_403_FORBIDDEN, error_msg)
@@ -192,7 +198,13 @@ class ZipTaskView(APIView):
return api_error(status.HTTP_404_NOT_FOUND, error_msg) return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# permission check # permission check
if parse_repo_perm(check_folder_permission(request, repo_id, parent_dir)).can_download is False: repo_folder_permission = check_folder_permission(request, repo_id, parent_dir)
if parse_repo_perm(repo_folder_permission).can_download is False:
error_msg = 'Permission denied.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if not json.loads(seafile_api.is_dir_downloadable(repo_id, parent_dir,
request.user.username, repo_folder_permission))['is_downloadable']:
error_msg = 'Permission denied.' error_msg = 'Permission denied.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg) return api_error(status.HTTP_403_FORBIDDEN, error_msg)

11
tests/api/endpoints/test_zip_task.py
View File

@@ -27,6 +27,10 @@ class ZipTaskViewTest(BaseTestCase):
self.remove_repo() self.remove_repo()
def test_can_get_download_dir_zip_token(self): def test_can_get_download_dir_zip_token(self):
if not LOCAL_PRO_DEV_ENV:
return
self.login_as(self.user) self.login_as(self.user)
parent_dir = '/' parent_dir = '/'
@@ -41,6 +45,9 @@ class ZipTaskViewTest(BaseTestCase):
def test_can_get_download_multi_zip_token(self): def test_can_get_download_multi_zip_token(self):
if not LOCAL_PRO_DEV_ENV:
return
# create another folder for download multi # create another folder for download multi
another_folder_name = 'another_folder_name' another_folder_name = 'another_folder_name'
seafile_api.post_dir(repo_id=self.repo.id, seafile_api.post_dir(repo_id=self.repo.id,
@@ -61,6 +68,10 @@ class ZipTaskViewTest(BaseTestCase):
assert len(json_resp['zip_token']) == 36 assert len(json_resp['zip_token']) == 36
def test_can_get_zip_token_with_invalid_repo_permission(self): def test_can_get_zip_token_with_invalid_repo_permission(self):
if not LOCAL_PRO_DEV_ENV:
return
self.login_as(self.admin) self.login_as(self.admin)
parent_dir = '/' parent_dir = '/'