diff --git a/seahub/api2/authentication.py b/seahub/api2/authentication.py
index 40913b0ccd..2779de541b 100644
--- a/seahub/api2/authentication.py
+++ b/seahub/api2/authentication.py
@@ -4,6 +4,7 @@ from rest_framework.authentication import BaseAuthentication
import seaserv
from seahub.base.accounts import User
+from seahub.constants import GUEST_USER
from seahub.api2.models import Token, TokenV2
from seahub.api2.utils import get_client_ip
try:
@@ -54,6 +55,14 @@ class TokenAuthentication(BaseAuthentication):
return self.authenticate_v1(request, key)
+ def _populate_user_permissions(self, user):
+ """Disable some operations if ``user`` is a guest.
+ """
+ if user.role == GUEST_USER:
+ user.permissions.can_add_repo = lambda: False
+ user.permissions.can_add_group = lambda: False
+ user.permissions.can_view_org = lambda: False
+
def authenticate_v1(self, request, key):
try:
token = Token.objects.get(key=key)
@@ -70,6 +79,8 @@ class TokenAuthentication(BaseAuthentication):
if orgs:
user.org = orgs[0]
+ self._populate_user_permissions(user)
+
if user.is_active:
return (user, token)
@@ -89,6 +100,8 @@ class TokenAuthentication(BaseAuthentication):
if orgs:
user.org = orgs[0]
+ self._populate_user_permissions(user)
+
if user.is_active:
need_save = False
diff --git a/seahub/api2/views.py b/seahub/api2/views.py
index 48afa10e41..4726f6eee1 100644
--- a/seahub/api2/views.py
+++ b/seahub/api2/views.py
@@ -478,34 +478,39 @@ class Repos(APIView):
repo["random_key"] = r.random_key
repos_json.append(repo)
- public_repos = list_inner_pub_repos(request)
- for r in public_repos:
- commit = get_commits(r.repo_id, 0, 1)[0]
- if not commit:
- continue
- r.root = commit.root_id
- r.size = server_repo_size(r.repo_id)
- repo = {
- "type": "grepo",
- "id": r.repo_id,
- "name": r.repo_name,
- "desc": r.repo_desc,
- "owner": "Organization",
- "mtime": r.last_modified,
- "root": r.root,
- "size": r.size,
- "encrypted": r.encrypted,
- "permission": r.permission,
+ if request.user.permissions.can_view_org():
+ public_repos = list_inner_pub_repos(request)
+ for r in public_repos:
+ commit = get_commits(r.repo_id, 0, 1)[0]
+ if not commit:
+ continue
+ r.root = commit.root_id
+ r.size = server_repo_size(r.repo_id)
+ repo = {
+ "type": "grepo",
+ "id": r.repo_id,
+ "name": r.repo_name,
+ "desc": r.repo_desc,
+ "owner": "Organization",
+ "mtime": r.last_modified,
+ "root": r.root,
+ "size": r.size,
+ "encrypted": r.encrypted,
+ "permission": r.permission,
}
- if r.encrypted:
- repo["enc_version"] = commit.enc_version
- repo["magic"] = commit.magic
- repo["random_key"] = commit.random_key
- repos_json.append(repo)
+ if r.encrypted:
+ repo["enc_version"] = commit.enc_version
+ repo["magic"] = commit.magic
+ repo["random_key"] = commit.random_key
+ repos_json.append(repo)
return Response(repos_json)
def post(self, request, format=None):
+ if not request.user.permissions.can_add_repo():
+ return api_error(status.HTTP_403_FORBIDDEN,
+ 'You do not have permission to create library.')
+
username = request.user.username
repo_name = request.POST.get("name", None)
repo_desc = request.POST.get("desc", 'new repo')
@@ -1853,6 +1858,10 @@ class DirSubRepoView(APIView):
if sub_repo:
result['sub_repo_id'] = sub_repo.id
else:
+ if not request.user.permissions.can_add_repo():
+ return api_error(status.HTTP_403_FORBIDDEN,
+ 'You do not have permission to create library.')
+
# create a sub-lib
try:
# use name as 'repo_name' & 'repo_desc' for sub_repo
@@ -2262,6 +2271,10 @@ class DefaultRepoView(APIView):
return Response(repo_json)
def post(self, request):
+ if not request.user.permissions.can_add_repo():
+ return api_error(status.HTTP_403_FORBIDDEN,
+ 'You do not have permission to create library.')
+
username = request.user.username
repo_id = UserOptions.objects.get_default_repo(username)
@@ -2541,6 +2554,10 @@ class Groups(APIView):
result = {}
content_type = 'application/json; charset=utf-8'
+ if not request.user.permissions.can_add_group():
+ return api_error(status.HTTP_403_FORBIDDEN,
+ 'You do not have permission to create group.')
+
# check plan
num_of_groups = getattr(request.user, 'num_of_groups', -1)
if num_of_groups > 0:
diff --git a/seahub/base/accounts.py b/seahub/base/accounts.py
index 6cb95331df..5768254d3e 100644
--- a/seahub/base/accounts.py
+++ b/seahub/base/accounts.py
@@ -14,6 +14,10 @@ from seaserv import ccnet_threaded_rpc, unset_repo_passwd, is_passwd_set
from seahub.profile.models import Profile, DetailedProfile
from seahub.utils import is_valid_username
+try:
+ from seahub.settings import CLOUD_MODE
+except ImportError:
+ CLOUD_MODE = False
UNUSABLE_PASSWORD = '!' # This will never be a valid hash
@@ -83,6 +87,22 @@ class UserManager(object):
return user
+class UserPermissions(object):
+ def can_add_repo(self):
+ """
+ """
+ return True
+
+ def can_add_group(self):
+ """
+ """
+ return True
+
+ def can_view_org(self):
+ """
+ """
+ return False if CLOUD_MODE else True
+
class User(object):
is_staff = False
is_active = False
@@ -97,6 +117,7 @@ class User(object):
def __init__(self, email):
self.username = email
self.email = email
+ self.permissions = UserPermissions()
def __unicode__(self):
return self.username
diff --git a/seahub/base/context_processors.py b/seahub/base/context_processors.py
index 40235a4d23..6a234ef204 100644
--- a/seahub/base/context_processors.py
+++ b/seahub/base/context_processors.py
@@ -32,16 +32,6 @@ try:
except ImportError:
MULTI_TENANCY = False
-try:
- from seahub.constants import DEFAULT_USER
-except ImportError:
- DEFAULT_USER = 'default'
-
-try:
- from seahub.constants import GUEST_USER
-except ImportError:
- GUEST_USER= 'guest'
-
def base(request):
"""
Add seahub base configure to the context.
@@ -85,6 +75,4 @@ def base(request):
'sysadmin_extra_enabled': ENABLE_SYSADMIN_EXTRA,
'grps': grps,
'multi_tenancy': MULTI_TENANCY,
- 'default_user': DEFAULT_USER,
- 'guest_user': GUEST_USER,
}
diff --git a/seahub/constants.py b/seahub/constants.py
index 060cf1e24e..4dfc870a38 100644
--- a/seahub/constants.py
+++ b/seahub/constants.py
@@ -1,8 +1,5 @@
-# Default user have common operations,
-# like creating group and library.
-DEFUALT_USER = 'default'
+# Default user have common operations, like creating group and library.
+DEFAULT_USER = 'default'
-# Guest user have limited operations,
-# can not create group and library.
+# Guest user have limited operations, can not create group and library.
GUEST_USER = 'guest'
-
diff --git a/seahub/group/templates/group/group_info.html b/seahub/group/templates/group/group_info.html
index 9527c048b4..755aaa0a85 100644
--- a/seahub/group/templates/group/group_info.html
+++ b/seahub/group/templates/group/group_info.html
@@ -11,7 +11,7 @@
{% trans "Libraries" %}
{% trans "Recent Changes" %}
- {% if request.user.role == default_user or request.user.role == None %}
+ {% if user.permissions.can_add_repo %}
{% endif %}
@@ -121,7 +121,7 @@
-{% if request.user.role == default_user or request.user.role == None %}
+{% if user.permissions.can_add_repo %}
{% include "snippets/repo_create_form.html" %}
{% endif %}
@@ -157,7 +157,7 @@ $('.download').click(function() {
window.open('{{ SITE_ROOT }}seafile_access_check/?repo_id=' + e(repo_id));
});
-{% if request.user.role == default_user or request.user.role == None %}
+{% if user.permissions.can_add_repo %}
function repoCreateSuccessCallback() {
location.reload();
}
diff --git a/seahub/group/templates/group/groups.html b/seahub/group/templates/group/groups.html
index 37760243a8..92505caa49 100644
--- a/seahub/group/templates/group/groups.html
+++ b/seahub/group/templates/group/groups.html
@@ -15,7 +15,7 @@
{% block extra_script %}