add is_dir_downloadable check when download folder (#4590)

Co-authored-by: lian <lian@seafile.com>
2025-09-08 02:10:24 +00:00 · 2020-06-18 14:25:47 +08:00
parent 389f8befee
commit 8fcfe292dc
2 changed files with 25 additions and 2 deletions
--- a/seahub/api2/endpoints/zip_task.py
+++ b/seahub/api2/endpoints/zip_task.py
@@ -72,7 +72,13 @@ class ZipTaskView(APIView):
            return api_error(status.HTTP_404_NOT_FOUND, error_msg)

        # permission check
-        if not check_folder_permission(request, repo_id, parent_dir):
+        repo_folder_permission = check_folder_permission(request, repo_id, parent_dir)
+        if not repo_folder_permission:
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+
+        if not json.loads(seafile_api.is_dir_downloadable(repo_id, parent_dir,
+                request.user.username, repo_folder_permission))['is_downloadable']:
            error_msg = 'Permission denied.'
            return api_error(status.HTTP_403_FORBIDDEN, error_msg)

@@ -192,7 +198,13 @@ class ZipTaskView(APIView):
            return api_error(status.HTTP_404_NOT_FOUND, error_msg)

        # permission check
-        if parse_repo_perm(check_folder_permission(request, repo_id, parent_dir)).can_download is False:
+        repo_folder_permission = check_folder_permission(request, repo_id, parent_dir)
+        if parse_repo_perm(repo_folder_permission).can_download is False:
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+
+        if not json.loads(seafile_api.is_dir_downloadable(repo_id, parent_dir,
+                request.user.username, repo_folder_permission))['is_downloadable']:
            error_msg = 'Permission denied.'
            return api_error(status.HTTP_403_FORBIDDEN, error_msg)

--- a/tests/api/endpoints/test_zip_task.py
+++ b/tests/api/endpoints/test_zip_task.py
@@ -27,6 +27,10 @@ class ZipTaskViewTest(BaseTestCase):
        self.remove_repo()

    def test_can_get_download_dir_zip_token(self):
+
+        if not LOCAL_PRO_DEV_ENV:
+            return
+
        self.login_as(self.user)

        parent_dir = '/'
@@ -41,6 +45,9 @@ class ZipTaskViewTest(BaseTestCase):

    def test_can_get_download_multi_zip_token(self):

+        if not LOCAL_PRO_DEV_ENV:
+            return
+
        # create another folder for download multi
        another_folder_name = 'another_folder_name'
        seafile_api.post_dir(repo_id=self.repo.id,
@@ -61,6 +68,10 @@ class ZipTaskViewTest(BaseTestCase):
        assert len(json_resp['zip_token']) == 36

    def test_can_get_zip_token_with_invalid_repo_permission(self):
+
+        if not LOCAL_PRO_DEV_ENV:
+            return
+
        self.login_as(self.admin)

        parent_dir = '/'