From ca399d38f854efd5a340b310bc2b36a6d4d38db8 Mon Sep 17 00:00:00 2001 From: zhengxie Date: Fri, 17 Feb 2017 16:49:58 +0800 Subject: [PATCH] [share link] Enlarge token length --- seahub/api2/urls.py | 10 +++++----- seahub/base/middleware.py | 2 +- seahub/settings.py | 4 ++++ seahub/share/decorators.py | 1 - seahub/share/models.py | 7 ++++--- seahub/thumbnail/urls.py | 4 ++-- seahub/urls.py | 16 ++++++++-------- tests/api/test_shares.py | 20 ++++++++++---------- 8 files changed, 34 insertions(+), 30 deletions(-) diff --git a/seahub/api2/urls.py b/seahub/api2/urls.py index ad4bccaf8a..347eb75e6c 100644 --- a/seahub/api2/urls.py +++ b/seahub/api2/urls.py @@ -43,9 +43,9 @@ urlpatterns = patterns('', url(r'^repos/(?P[-0-9a-f]{36})/download-info/$', DownloadRepo.as_view()), url(r'^repos/(?P[-0-9a-f]{36})/owner/$', RepoOwner.as_view(), name="api2-repo-owner"), url(r'^repos/(?P[-0-9a-f]{36})/download-shared-links/$', RepoDownloadSharedLinks.as_view(), name="api2-repo-download-shared-links"), - url(r'^repos/(?P[-0-9a-f]{36})/download-shared-links/(?P[a-f0-9]{10})/$', RepoDownloadSharedLink.as_view(), name="api2-repo-download-shared-link"), + url(r'^repos/(?P[-0-9a-f]{36})/download-shared-links/(?P[a-f0-9]+)/$', RepoDownloadSharedLink.as_view(), name="api2-repo-download-shared-link"), url(r'^repos/(?P[-0-9a-f]{36})/upload-shared-links/$', RepoUploadSharedLinks.as_view(), name="api2-repo-upload-shared-links"), - url(r'^repos/(?P[-0-9a-f]{36})/upload-shared-links/(?P[a-f0-9]{10})/$', RepoUploadSharedLink.as_view(), name="api2-repo-upload-shared-link"), + url(r'^repos/(?P[-0-9a-f]{36})/upload-shared-links/(?P[a-f0-9]+)/$', RepoUploadSharedLink.as_view(), name="api2-repo-upload-shared-link"), url(r'^repos/(?P[-0-9a-f]{36})/upload-link/$', UploadLinkView.as_view()), url(r'^repos/(?P[-0-9a-f]{36})/update-link/$', UpdateLinkView.as_view()), url(r'^repos/(?P[-0-9a-f]{36})/upload-blks-link/$', UploadBlksLinkView.as_view()), @@ -82,9 +82,9 @@ urlpatterns = patterns('', url(r'^organization/$', OrganizationView.as_view()), - url(r'^f/(?P[a-f0-9]{10})/$', SharedFileView.as_view()), - url(r'^f/(?P[a-f0-9]{10})/detail/$', SharedFileDetailView.as_view()), - url(r'^d/(?P[a-f0-9]{10})/dir/$', SharedDirView.as_view()), + url(r'^f/(?P[a-f0-9]+)/$', SharedFileView.as_view()), + url(r'^f/(?P[a-f0-9]+)/detail/$', SharedFileDetailView.as_view()), + url(r'^d/(?P[a-f0-9]+)/dir/$', SharedDirView.as_view()), url(r'^events/$', EventsView.as_view()), url(r'^repo_history_changes/(?P[-0-9a-f]{36})/$', RepoHistoryChange.as_view()), diff --git a/seahub/base/middleware.py b/seahub/base/middleware.py index d66fc29694..05137f4c51 100644 --- a/seahub/base/middleware.py +++ b/seahub/base/middleware.py @@ -83,7 +83,7 @@ class ForcePasswdChangeMiddleware(object): def _request_in_black_list(self, request): path = request.path black_list = (r'^%s$' % SITE_ROOT, r'home/.+', r'repo/.+', - r'[f|d]/[a-f][0-9]{10}', r'group/\d+', r'groups/', + r'[f|d]/[a-f][0-9]+', r'group/\d+', r'groups/', r'share/', r'profile/', r'notification/list/') for patt in black_list: diff --git a/seahub/settings.py b/seahub/settings.py index 3606e3426a..d199c85f59 100644 --- a/seahub/settings.py +++ b/seahub/settings.py @@ -259,6 +259,9 @@ ENABLE_ENCRYPTED_LIBRARY = True # mininum length for password of encrypted library REPO_PASSWORD_MIN_LENGTH = 8 +# token length for the share link +SHARE_LINK_TOKEN_LENGTH = 20 + # mininum length for the password of a share link SHARE_LINK_PASSWORD_MIN_LENGTH = 8 @@ -656,6 +659,7 @@ CONSTANCE_CONFIG = { 'USER_PASSWORD_MIN_LENGTH': (USER_PASSWORD_MIN_LENGTH,''), 'USER_PASSWORD_STRENGTH_LEVEL': (USER_PASSWORD_STRENGTH_LEVEL,''), + 'SHARE_LINK_TOKEN_LENGTH': (SHARE_LINK_TOKEN_LENGTH, ''), 'SHARE_LINK_PASSWORD_MIN_LENGTH': (SHARE_LINK_PASSWORD_MIN_LENGTH,''), 'ENABLE_TWO_FACTOR_AUTH': (ENABLE_TWO_FACTOR_AUTH,''), } diff --git a/seahub/share/decorators.py b/seahub/share/decorators.py index 6a3a64744c..3881f2a374 100644 --- a/seahub/share/decorators.py +++ b/seahub/share/decorators.py @@ -15,7 +15,6 @@ def share_link_audit(func): fileshare = FileShare.objects.get_valid_file_link_by_token(token) or \ FileShare.objects.get_valid_dir_link_by_token(token) or \ UploadLinkShare.objects.get_valid_upload_link_by_token(token) - if fileshare is None: raise Http404 diff --git a/seahub/share/models.py b/seahub/share/models.py index 940c4e95ab..3a17b57249 100644 --- a/seahub/share/models.py +++ b/seahub/share/models.py @@ -6,6 +6,7 @@ from django.db import models from django.utils import timezone from django.utils.translation import ugettext_lazy as _ from django.contrib.auth.hashers import make_password, check_password +from constance import config from seahub.base.fields import LowerCaseCharField from seahub.utils import normalize_file_path, normalize_dir_path, gen_token,\ @@ -86,7 +87,7 @@ class FileShareManager(models.Manager): else: password_enc = None - token = gen_token(max_length=10) + token = gen_token(max_length=config.SHARE_LINK_TOKEN_LENGTH) fs = super(FileShareManager, self).create( username=username, repo_id=repo_id, path=path, token=token, s_type=s_type, password=password_enc, expire_date=expire_date) @@ -155,7 +156,7 @@ class FileShare(models.Model): username = LowerCaseCharField(max_length=255, db_index=True) repo_id = models.CharField(max_length=36, db_index=True) path = models.TextField() - token = models.CharField(max_length=10, unique=True) + token = models.CharField(max_length=100, unique=True) ctime = models.DateTimeField(default=datetime.datetime.now) view_cnt = models.IntegerField(default=0) s_type = models.CharField(max_length=2, db_index=True, default='f') # `f` or `d` @@ -226,7 +227,7 @@ class UploadLinkShareManager(models.Manager): def create_upload_link_share(self, username, repo_id, path, password=None, expire_date=None): path = normalize_dir_path(path) - token = gen_token(max_length=10) + token = gen_token(max_length=config.SHARE_LINK_TOKEN_LENGTH) if password is not None: password_enc = make_password(password) else: diff --git a/seahub/thumbnail/urls.py b/seahub/thumbnail/urls.py index b6c3adb2d0..ff46edeb76 100644 --- a/seahub/thumbnail/urls.py +++ b/seahub/thumbnail/urls.py @@ -7,6 +7,6 @@ from views import thumbnail_create, thumbnail_get, share_link_thumbnail_get, \ urlpatterns = patterns('', url(r'^(?P[-0-9a-f]{36})/create/$', thumbnail_create, name='thumbnail_create'), url(r'^(?P[-0-9a-f]{36})/(?P[0-9]+)/(?P.*)$', thumbnail_get, name='thumbnail_get'), - url(r'^(?P[a-f0-9]{10})/create/$', share_link_thumbnail_create, name='share_link_thumbnail_create'), - url(r'^(?P[a-f0-9]{10})/(?P[0-9]+)/(?P.*)$', share_link_thumbnail_get, name='share_link_thumbnail_get'), + url(r'^(?P[a-f0-9]+)/create/$', share_link_thumbnail_create, name='share_link_thumbnail_create'), + url(r'^(?P[a-f0-9]+)/(?P[0-9]+)/(?P.*)$', share_link_thumbnail_get, name='share_link_thumbnail_get'), ) diff --git a/seahub/urls.py b/seahub/urls.py index 9f59ca6742..9b3568e2c7 100644 --- a/seahub/urls.py +++ b/seahub/urls.py @@ -118,11 +118,11 @@ urlpatterns = patterns( url(r'^#group/(?P\d+)/settings/$', fake_view, name='group_manage'), ### share/upload link ### - url(r'^f/(?P[a-f0-9]{10})/$', view_shared_file, name='view_shared_file'), - url(r'^f/(?P[a-f0-9]{10})/raw/(?P[0-9a-f]{40})/(?P.*)', view_raw_shared_file, name='view_raw_shared_file'), - url(r'^d/(?P[a-f0-9]{10})/$', view_shared_dir, name='view_shared_dir'), - url(r'^d/(?P[a-f0-9]{10})/files/$', view_file_via_shared_dir, name='view_file_via_shared_dir'), - url(r'^u/d/(?P[a-f0-9]{10})/$', view_shared_upload_link, name='view_shared_upload_link'), + url(r'^f/(?P[a-f0-9]+)/$', view_shared_file, name='view_shared_file'), + url(r'^f/(?P[a-f0-9]+)/raw/(?P[0-9a-f]{40})/(?P.*)', view_raw_shared_file, name='view_raw_shared_file'), + url(r'^d/(?P[a-f0-9]+)/$', view_shared_dir, name='view_shared_dir'), + url(r'^d/(?P[a-f0-9]+)/files/$', view_file_via_shared_dir, name='view_file_via_shared_dir'), + url(r'^u/d/(?P[a-f0-9]+)/$', view_shared_upload_link, name='view_shared_upload_link'), ### Misc ### url(r'^image-view/(?P.*)$', image_view, name='image_view'), @@ -145,7 +145,7 @@ urlpatterns = patterns( url(r'^ajax/repo/(?P[-0-9a-f]{36})/current_commit/$', get_current_commit, name='get_current_commit'), url(r'^ajax/repo/(?P[-0-9a-f]{36})/history/changes/$', repo_history_changes, name='repo_history_changes'), url(r'^ajax/repo/(?P[-0-9a-f]{36})/encrypted_file/(?P[0-9a-f]{40})/download/$', download_enc_file, name='download_enc_file'), - url(r'^ajax/u/d/(?P[-0-9a-f]{10})/upload/$', get_file_upload_url_ul, name='get_file_upload_url_ul'), + url(r'^ajax/u/d/(?P[-0-9a-f]+)/upload/$', get_file_upload_url_ul, name='get_file_upload_url_ul'), url(r'^ajax/group/(?P\d+)/repos/$', get_unenc_group_repos, name='get_group_repos'), url(r'^ajax/group/(?P\d+)/members/import/$', ajax_group_members_import, name='ajax_group_members_import'), url(r'^ajax/unenc-rw-repos/$', unenc_rw_repos, name='unenc_rw_repos'), @@ -173,9 +173,9 @@ urlpatterns = patterns( url(r'^api/v2.1/shared-repos/$', SharedRepos.as_view(), name='api-v2.1-shared-repos'), url(r'^api/v2.1/shared-repos/(?P[-0-9a-f]{36})/$', SharedRepo.as_view(), name='api-v2.1-shared-repo'), url(r'^api/v2.1/share-links/$', ShareLinks.as_view(), name='api-v2.1-share-links'), - url(r'^api/v2.1/share-links/(?P[a-f0-9]{10})/$', ShareLink.as_view(), name='api-v2.1-share-link'), + url(r'^api/v2.1/share-links/(?P[a-f0-9]+)/$', ShareLink.as_view(), name='api-v2.1-share-link'), url(r'^api/v2.1/upload-links/$', UploadLinks.as_view(), name='api-v2.1-upload-links'), - url(r'^api/v2.1/upload-links/(?P[a-f0-9]{10})/$', UploadLink.as_view(), name='api-v2.1-upload-link'), + url(r'^api/v2.1/upload-links/(?P[a-f0-9]+)/$', UploadLink.as_view(), name='api-v2.1-upload-link'), url(r'^api/v2.1/repos/(?P[-0-9a-f]{36})/file/$', FileView.as_view(), name='api-v2.1-file-view'), url(r'^api/v2.1/repos/(?P[-0-9a-f]{36})/dirents/download-link/$', DirentsDownloadLinkView.as_view(), name='api-v2.1-dirents-download-link-view'), url(r'^api/v2.1/repos/(?P[-0-9a-f]{36})/zip-task/$', ZipTaskView.as_view(), name='api-v2.1-zip-task'), diff --git a/tests/api/test_shares.py b/tests/api/test_shares.py index aaef030f20..3a7b8ec03b 100644 --- a/tests/api/test_shares.py +++ b/tests/api/test_shares.py @@ -53,7 +53,7 @@ class FileSharedLinkApiTest(BaseTestCase): ) self.assertEqual(201, resp.status_code) self.assertRegexpMatches(resp._headers['location'][1], - r'http(.*)/f/(\w{10,10})/') + r'http(.*)/f/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] self.assertIsNotNone(FileShare.objects.get(token=token)) @@ -69,7 +69,7 @@ class FileSharedLinkApiTest(BaseTestCase): ) self.assertEqual(201, resp.status_code) self.assertRegexpMatches(resp._headers['location'][1], - r'http(.*)/f/(\w{10,10})/') + r'http(.*)/f/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] fileshare = FileShare.objects.get(token=token) @@ -86,7 +86,7 @@ class FileSharedLinkApiTest(BaseTestCase): ) self.assertEqual(201, resp.status_code) self.assertRegexpMatches(resp._headers['location'][1], - r'http(.*)/f/(\w{10,10})/') + r'http(.*)/f/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] fileshare = FileShare.objects.get(token=token) @@ -103,7 +103,7 @@ class FileSharedLinkApiTest(BaseTestCase): ) self.assertEqual(201, resp.status_code) self.assertRegexpMatches(resp._headers['location'][1], - r'http(.*)/f/(\w{10,10})/') + r'http(.*)/f/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] fileshare = FileShare.objects.get(token=token) @@ -122,7 +122,7 @@ class FileSharedLinkApiTest(BaseTestCase): self.assertEqual(201, resp.status_code) self.dir_link_location = resp._headers['location'][1] self.assertRegexpMatches(self.dir_link_location, - r'http(.*)/d/(\w{10,10})/') + r'http(.*)/d/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] self.assertIsNotNone(FileShare.objects.get(token=token)) @@ -139,7 +139,7 @@ class FileSharedLinkApiTest(BaseTestCase): self.assertEqual(201, resp.status_code) self.dir_link_location = resp._headers['location'][1] self.assertRegexpMatches(self.dir_link_location, - r'http(.*)/d/(\w{10,10})/') + r'http(.*)/d/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] fileshare = FileShare.objects.get(token=token) @@ -157,7 +157,7 @@ class FileSharedLinkApiTest(BaseTestCase): self.assertEqual(201, resp.status_code) self.dir_link_location = resp._headers['location'][1] self.assertRegexpMatches(self.dir_link_location, - r'http(.*)/d/(\w{10,10})/') + r'http(.*)/d/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] fileshare = FileShare.objects.get(token=token) @@ -175,7 +175,7 @@ class FileSharedLinkApiTest(BaseTestCase): self.assertEqual(201, resp.status_code) self.dir_link_location = resp._headers['location'][1] self.assertRegexpMatches(self.dir_link_location, - r'http(.*)/d/(\w{10,10})/') + r'http(.*)/d/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] fileshare = FileShare.objects.get(token=token) @@ -194,7 +194,7 @@ class FileSharedLinkApiTest(BaseTestCase): self.assertEqual(201, resp.status_code) self.dir_link_location = resp._headers['location'][1] self.assertRegexpMatches(self.dir_link_location, - r'http(.*)/u/d/(\w{10,10})/') + r'http(.*)/u/d/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] self.assertIsNotNone(UploadLinkShare.objects.get(token=token)) @@ -211,7 +211,7 @@ class FileSharedLinkApiTest(BaseTestCase): self.assertEqual(201, resp.status_code) self.dir_link_location = resp._headers['location'][1] self.assertRegexpMatches(self.dir_link_location, - r'http(.*)/u/d/(\w{10,10})/') + r'http(.*)/u/d/(\w{10,100})/') token = resp._headers['location'][1].split('/')[-2] uls = UploadLinkShare.objects.get(token=token)