share dtable update rw permission

2025-08-01 07:10:55 +00:00 · 2019-06-27 17:02:03 +08:00 · 2019-06-27 17:02:03 +08:00 · d459fec1b3
commit d459fec1b3
parent 49545d2095
3 changed files with 41 additions and 8 deletions
--- a/seahub/api2/endpoints/dtable.py
+++ b/seahub/api2/endpoints/dtable.py
@ -29,12 +29,15 @@ from seahub.views.file import send_file_access_msg
 from seahub.auth.decorators import login_required
 from seahub.settings import MAX_UPLOAD_FILE_NAME_LEN, SHARE_LINK_EXPIRE_DAYS_MIN, \
     SHARE_LINK_EXPIRE_DAYS_MAX, SHARE_LINK_EXPIRE_DAYS_DEFAULT
+from seahub.dtable.utils import check_share_dtable_permission
+from seahub.constants import PERMISSION_ADMIN, PERMISSION_READ_WRITE


 logger = logging.getLogger(__name__)


 FILE_TYPE = '.dtable'
+WRITE_PERMISSION_TUPLE = (PERMISSION_READ_WRITE, PERMISSION_ADMIN)


 class WorkspacesView(APIView):
@ -287,7 +290,8 @@ class DTableView(APIView):
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)
        else:
-            if username != owner:
+            if username != owner and \
+                    not check_share_dtable_permission(dtable, username):
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)

@ -354,7 +358,8 @@ class DTableView(APIView):
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)
        else:
-            if username != owner:
+            if username != owner and \
+                    check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)

@ -426,7 +431,8 @@ class DTableView(APIView):
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)
        else:
-            if username != owner:
+            if username != owner and \
+                    check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)

@ -508,7 +514,8 @@ class DTableUpdateLinkView(APIView):
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)
        else:
-            if username != owner:
+            if username != owner and \
+                    check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
                error_msg = 'Permission denied.'
                return api_error(status.HTTP_403_FORBIDDEN, error_msg)

@ -562,7 +569,8 @@ class DTableAssetUploadLinkView(APIView):
        # permission check
        username = request.user.username
        owner = workspace.owner
-        if username != owner:
+        if username != owner and \
+                check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
            error_msg = 'Permission denied.'
            return api_error(status.HTTP_403_FORBIDDEN, error_msg)

@ -623,7 +631,8 @@ def dtable_file_view(request, workspace_id, name):
            error_msg = 'Permission denied.'
            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
    else:
-        if username != owner:
+        if username != owner and \
+                not check_share_dtable_permission(dtable, username):
            error_msg = 'Permission denied.'
            return api_error(status.HTTP_403_FORBIDDEN, error_msg)

@ -672,7 +681,8 @@ def dtable_asset_access(request, workspace_id, dtable_id, path):
    # permission check
    username = request.user.username
    owner = workspace.owner
-    if username != owner:
+    if username != owner and \
+            check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
        return render_permission_error(request, 'Permission denied.')

    token = seafile_api.get_fileserver_access_token(repo_id, asset_id, 'view',
--- a/seahub/dtable/utils.py
+++ b/seahub/dtable/utils.py
@ -0,0 +1,9 @@
+from seahub.dtable.models import ShareDTable
+
+
+def check_share_dtable_permission(dtable, to_user):
+    share_dtable_obj = ShareDTable.objects.get_by_dtable_and_to_user(dtable, to_user)
+    if share_dtable_obj:
+        return share_dtable_obj.permission
+
+    return None
--- a/tests/seahub/dtable/test_api.py
+++ b/tests/seahub/dtable/test_api.py
@ -6,6 +6,12 @@ from seaserv import seafile_api

 from seahub.test_utils import BaseTestCase
 from seahub.base.templatetags.seahub_tags import email2nickname
+from tests.common.utils import randstring
+
+try:
+    from seahub.settings import LOCAL_PRO_DEV_ENV
+except ImportError:
+    LOCAL_PRO_DEV_ENV = False


 class ShareDTablesViewTest(BaseTestCase):
@ -142,6 +148,9 @@ class ShareDTableViewTest(BaseTestCase):
        self.assertEqual(400, resp.status_code)

    def test_can_not_post_with_share_to_org_user(self):
+        if not LOCAL_PRO_DEV_ENV:
+            return
+
        assert len(ShareDTable.objects.all()) == 1
        ShareDTable.objects.all().delete()
        assert len(ShareDTable.objects.all()) == 0
@ -257,10 +266,15 @@ class ShareDTableViewTest(BaseTestCase):
        self.assertEqual(404, resp.status_code)

    def test_can_not_delete_with_not_shared_user(self):
-        self.login_as(self.org_user)
+        tmp_user = self.create_user(
+            'user_%s@test.com' % randstring(4), is_staff=False)
+
+        self.login_as(tmp_user)

        data = {
            'email': self.admin.username,
        }
        resp = self.client.delete(self.url, json.dumps(data), 'application/json')
        self.assertEqual(403, resp.status_code)
+
+        self.remove_user(tmp_user.username)