diff --git a/seahub/templates/share_access_validation.html b/seahub/templates/share_access_validation.html index 7cceec216b..f7cbe01948 100644 --- a/seahub/templates/share_access_validation.html +++ b/seahub/templates/share_access_validation.html @@ -4,7 +4,11 @@ {% block main_panel %}

{% trans "Please input the password if you want to browse the shared file/directory. And the password will be kept on the server for only 1 hour." %}

+ {% if path %} +
{% csrf_token %} + {% else %} {% csrf_token %} + {% endif %} diff --git a/seahub/views/file.py b/seahub/views/file.py index dae4fd4baa..8fabde6963 100644 --- a/seahub/views/file.py +++ b/seahub/views/file.py @@ -868,6 +868,27 @@ def view_raw_shared_file(request, token, obj_id, file_name): if fileshare is None: raise Http404 + if fileshare.is_encrypted(): + if not check_share_link_access(request, token): + if fileshare.is_file_share_link(): + d = {'token': token, 'view_name': 'view_shared_file', } + else: + d = {'token': token, 'view_name': 'view_shared_dir', } + + if request.method == 'POST': + post_values = request.POST.copy() + post_values['enc_password'] = fileshare.password + form = SharedLinkPasswordForm(post_values) + d['form'] = form + if form.is_valid(): + set_share_link_access(request, token) + else: + return render_to_response('share_access_validation.html', d, + context_instance=RequestContext(request)) + else: + return render_to_response('share_access_validation.html', d, + context_instance=RequestContext(request)) + repo_id = fileshare.repo_id repo = get_repo(repo_id) if not repo: @@ -904,6 +925,31 @@ def view_file_via_shared_dir(request, token): if fileshare is None: raise Http404 + + req_path = request.GET.get('p', '').rstrip('/') + if not req_path: + return HttpResponseRedirect(reverse('view_shared_dir', args=[token])) + + if fileshare.is_encrypted(): + if not check_share_link_access(request, token): + d = {'token': token, + 'view_name': 'view_file_via_shared_dir', + 'path': req_path, + } + if request.method == 'POST': + post_values = request.POST.copy() + post_values['enc_password'] = fileshare.password + form = SharedLinkPasswordForm(post_values) + d['form'] = form + if form.is_valid(): + set_share_link_access(request, token) + else: + return render_to_response('share_access_validation.html', d, + context_instance=RequestContext(request)) + else: + return render_to_response('share_access_validation.html', d, + context_instance=RequestContext(request)) + if request.GET.get('dl', '') == '1': # download shared file return _download_file_from_share_link(request, fileshare) @@ -916,10 +962,6 @@ def view_file_via_shared_dir(request, token): # Get file path from frontend, and construct request file path # with fileshare.path to real path, used to fetch file content by RPC. - req_path = request.GET.get('p', '').rstrip('/') - if not req_path: - raise Http404 - real_path = posixpath.join(fileshare.path, req_path.lstrip('/')) # generate dir navigator diff --git a/tests/seahub/views/test_shared_dir.py b/tests/seahub/views/test_shared_dir.py index 8104b19a2c..1a17f7af06 100644 --- a/tests/seahub/views/test_shared_dir.py +++ b/tests/seahub/views/test_shared_dir.py @@ -1,3 +1,4 @@ +import os from django.core.urlresolvers import reverse from django.test import TestCase @@ -49,6 +50,8 @@ class EncryptSharedDirTest(TestCase, Fixtures): self.fs = FileShare.objects.create_dir_link(**share_file_info) self.sub_dir = self.folder + self.sub_file = self.file + self.filename= os.path.basename(self.file) def tearDown(self): self.remove_repo() @@ -100,3 +103,41 @@ class EncryptSharedDirTest(TestCase, Fixtures): self.assertEqual(200, resp.status_code) self.assertTemplateNotUsed(resp, 'share_access_validation.html') self.assertTemplateUsed(resp, 'view_shared_dir.html') + + def test_view_file_via_shared_dir(self): + resp = self.client.post( + reverse('view_file_via_shared_dir', args=[self.fs.token]) + '?p=' + self.sub_file, { + 'password': '12345678' + } + ) + + self.assertEqual(200, resp.status_code) + self.assertTemplateNotUsed(resp, 'share_access_validation.html') + self.assertTemplateUsed(resp, 'shared_file_view.html') + self.assertContains(resp, '%s' % self.filename) + + resp = self.client.get( + reverse('view_file_via_shared_dir', args=[self.fs.token]) + '?p=' + self.sub_file + ) + self.assertEqual(200, resp.status_code) + self.assertTemplateNotUsed(resp, 'share_access_validation.html') + self.assertTemplateUsed(resp, 'shared_file_view.html') + self.assertContains(resp, '%s' % self.filename) + + def test_view_file_via_shared_dir_without_password(self): + resp = self.client.get( + reverse('view_file_via_shared_dir', args=[self.fs.token]) + '?p=' + self.sub_file + ) + self.assertEqual(200, resp.status_code) + self.assertTemplateUsed(resp, 'share_access_validation.html') + + def test_view_file_via_shared_dir_with_wrong_password(self): + resp = self.client.post( + reverse('view_file_via_shared_dir', args=[self.fs.token]), { + 'password': '1234567' + } + ) + + self.assertEqual(200, resp.status_code) + self.assertTemplateUsed(resp, 'share_access_validation.html') + self.assertContains(resp, 'Please enter a correct password')