permission check when user list dirent in received repo (#4804)

Co-authored-by: lian <lian@seafile.com>
2025-09-21 11:27:18 +00:00 · 2021-01-27 14:17:00 +08:00
parent 4dad1b5ab5
commit a79d9327cb
1 changed files with 9 additions and 9 deletions
--- a/seahub/api2/endpoints/ocm_repos.py
+++ b/seahub/api2/endpoints/ocm_repos.py
@@ -41,21 +41,21 @@ class OCMReposDirView(APIView):
            error_msg = 'with_thumbnail invalid.'
            return api_error(status.HTTP_400_BAD_REQUEST, error_msg)

-        ocm_share_received = OCMShareReceived.objects.filter(provider_id=provider_id, repo_id=repo_id).first()
+        username = request.user.username
+        ocm_share_received = OCMShareReceived.objects.filter(provider_id=provider_id,
+                                                             repo_id=repo_id,
+                                                             to_user=username)
        if not ocm_share_received:
-            error_msg = 'Library %s not found.' % repo_id
-            return api_error(status.HTTP_404_NOT_FOUND, error_msg)
-
-        if ocm_share_received.to_user != request.user.username:
-            error_msg = 'permission denied.'
+            error_msg = 'Permission denied.'
            return api_error(status.HTTP_403_FORBIDDEN, error_msg)

-        url = ocm_share_received.from_server_url + VIA_REPO_TOKEN_URL['DIR']
+        url = ocm_share_received[0].from_server_url + VIA_REPO_TOKEN_URL['DIR']
        params = {
            'path': path,
            'with_thumbnail': with_thumbnail,
        }
-        headers = {'Authorization': 'token ' + ocm_share_received.shared_secret}
+        headers = {'Authorization': 'token ' + ocm_share_received[0].shared_secret}
+
        try:
            resp = send_get_request(url, params=params, headers=headers)
        except Exception as e: