haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-07-17 08:41:40 +00:00
Code Issues Releases Wiki Activity

Merge pull request #946 from haiwen/view-file

Browse Source 
add password check when view file via dir share
This commit is contained in:
xiez 2015-12-16 19:12:32 +08:00
commit ad658ac746
3 changed files with 91 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
seahub/templates/share_access_validation.html
View File

@ -4,7 +4,11 @@
{% block main_panel %} {% block main_panel %}
<div class="wide-panel"> <div class="wide-panel">
<p class="access-notice">{% trans "Please input the password if you want to browse the shared file/directory. And the password will be kept on the server for only 1 hour." %}</p> <p class="access-notice">{% trans "Please input the password if you want to browse the shared file/directory. And the password will be kept on the server for only 1 hour." %}</p>
{% if path %}
<form action="{% url view_name token %}?p={{ path }}" method="post" id="share-passwd-form">{% csrf_token %}
{% else %}
<form action="{% url view_name token %}" method="post" id="share-passwd-form">{% csrf_token %} <form action="{% url view_name token %}" method="post" id="share-passwd-form">{% csrf_token %}
{% endif %}
<label>{% trans "Password: " %}</label> <label>{% trans "Password: " %}</label>
<input type="password" name="password" autofocus /> <input type="password" name="password" autofocus />
<input type="submit" value="{% trans "Submit" %}" /> <input type="submit" value="{% trans "Submit" %}" />

50
seahub/views/file.py
View File

@ -868,6 +868,27 @@ def view_raw_shared_file(request, token, obj_id, file_name):
if fileshare is None: if fileshare is None:
raise Http404 raise Http404
if fileshare.is_encrypted():
if not check_share_link_access(request, token):
if fileshare.is_file_share_link():
d = {'token': token, 'view_name': 'view_shared_file', }
else:
d = {'token': token, 'view_name': 'view_shared_dir', }
if request.method == 'POST':
post_values = request.POST.copy()
post_values['enc_password'] = fileshare.password
form = SharedLinkPasswordForm(post_values)
d['form'] = form
if form.is_valid():
set_share_link_access(request, token)
else:
return render_to_response('share_access_validation.html', d,
context_instance=RequestContext(request))
else:
return render_to_response('share_access_validation.html', d,
context_instance=RequestContext(request))
repo_id = fileshare.repo_id repo_id = fileshare.repo_id
repo = get_repo(repo_id) repo = get_repo(repo_id)
if not repo: if not repo:
@ -904,6 +925,31 @@ def view_file_via_shared_dir(request, token):
if fileshare is None: if fileshare is None:
raise Http404 raise Http404
req_path = request.GET.get('p', '').rstrip('/')
if not req_path:
return HttpResponseRedirect(reverse('view_shared_dir', args=[token]))
if fileshare.is_encrypted():
if not check_share_link_access(request, token):
d = {'token': token,
'view_name': 'view_file_via_shared_dir',
'path': req_path,
}
if request.method == 'POST':
post_values = request.POST.copy()
post_values['enc_password'] = fileshare.password
form = SharedLinkPasswordForm(post_values)
d['form'] = form
if form.is_valid():
set_share_link_access(request, token)
else:
return render_to_response('share_access_validation.html', d,
context_instance=RequestContext(request))
else:
return render_to_response('share_access_validation.html', d,
context_instance=RequestContext(request))
if request.GET.get('dl', '') == '1': if request.GET.get('dl', '') == '1':
# download shared file # download shared file
return _download_file_from_share_link(request, fileshare) return _download_file_from_share_link(request, fileshare)
@ -916,10 +962,6 @@ def view_file_via_shared_dir(request, token):
# Get file path from frontend, and construct request file path # Get file path from frontend, and construct request file path
# with fileshare.path to real path, used to fetch file content by RPC. # with fileshare.path to real path, used to fetch file content by RPC.
req_path = request.GET.get('p', '').rstrip('/')
if not req_path:
raise Http404
real_path = posixpath.join(fileshare.path, req_path.lstrip('/')) real_path = posixpath.join(fileshare.path, req_path.lstrip('/'))
# generate dir navigator # generate dir navigator

41
tests/seahub/views/test_shared_dir.py
View File

@ -1,3 +1,4 @@
import os
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.test import TestCase from django.test import TestCase
@ -49,6 +50,8 @@ class EncryptSharedDirTest(TestCase, Fixtures):
self.fs = FileShare.objects.create_dir_link(**share_file_info) self.fs = FileShare.objects.create_dir_link(**share_file_info)
self.sub_dir = self.folder self.sub_dir = self.folder
self.sub_file = self.file
self.filename= os.path.basename(self.file)
def tearDown(self): def tearDown(self):
self.remove_repo() self.remove_repo()
@ -100,3 +103,41 @@ class EncryptSharedDirTest(TestCase, Fixtures):
self.assertEqual(200, resp.status_code) self.assertEqual(200, resp.status_code)
self.assertTemplateNotUsed(resp, 'share_access_validation.html') self.assertTemplateNotUsed(resp, 'share_access_validation.html')
self.assertTemplateUsed(resp, 'view_shared_dir.html') self.assertTemplateUsed(resp, 'view_shared_dir.html')
def test_view_file_via_shared_dir(self):
resp = self.client.post(
reverse('view_file_via_shared_dir', args=[self.fs.token]) + '?p=' + self.sub_file, {
'password': '12345678'
}
)
self.assertEqual(200, resp.status_code)
self.assertTemplateNotUsed(resp, 'share_access_validation.html')
self.assertTemplateUsed(resp, 'shared_file_view.html')
self.assertContains(resp, '%s</h2>' % self.filename)
resp = self.client.get(
reverse('view_file_via_shared_dir', args=[self.fs.token]) + '?p=' + self.sub_file
)
self.assertEqual(200, resp.status_code)
self.assertTemplateNotUsed(resp, 'share_access_validation.html')
self.assertTemplateUsed(resp, 'shared_file_view.html')
self.assertContains(resp, '%s</h2>' % self.filename)
def test_view_file_via_shared_dir_without_password(self):
resp = self.client.get(
reverse('view_file_via_shared_dir', args=[self.fs.token]) + '?p=' + self.sub_file
)
self.assertEqual(200, resp.status_code)
self.assertTemplateUsed(resp, 'share_access_validation.html')
def test_view_file_via_shared_dir_with_wrong_password(self):
resp = self.client.post(
reverse('view_file_via_shared_dir', args=[self.fs.token]), {
'password': '1234567'
}
)
self.assertEqual(200, resp.status_code)
self.assertTemplateUsed(resp, 'share_access_validation.html')
self.assertContains(resp, 'Please enter a correct password')