From d459fec1b35629cd6fde8fd0595f533ecbfeca4b Mon Sep 17 00:00:00 2001 From: sniper-py Date: Thu, 27 Jun 2019 17:02:03 +0800 Subject: [PATCH] share dtable update rw permission --- seahub/api2/endpoints/dtable.py | 24 +++++++++++++++++------- seahub/dtable/utils.py | 9 +++++++++ tests/seahub/dtable/test_api.py | 16 +++++++++++++++- 3 files changed, 41 insertions(+), 8 deletions(-) create mode 100644 seahub/dtable/utils.py diff --git a/seahub/api2/endpoints/dtable.py b/seahub/api2/endpoints/dtable.py index 60ab39f4cc..97d67038ba 100644 --- a/seahub/api2/endpoints/dtable.py +++ b/seahub/api2/endpoints/dtable.py @@ -29,12 +29,15 @@ from seahub.views.file import send_file_access_msg from seahub.auth.decorators import login_required from seahub.settings import MAX_UPLOAD_FILE_NAME_LEN, SHARE_LINK_EXPIRE_DAYS_MIN, \ SHARE_LINK_EXPIRE_DAYS_MAX, SHARE_LINK_EXPIRE_DAYS_DEFAULT +from seahub.dtable.utils import check_share_dtable_permission +from seahub.constants import PERMISSION_ADMIN, PERMISSION_READ_WRITE logger = logging.getLogger(__name__) FILE_TYPE = '.dtable' +WRITE_PERMISSION_TUPLE = (PERMISSION_READ_WRITE, PERMISSION_ADMIN) class WorkspacesView(APIView): @@ -287,7 +290,8 @@ class DTableView(APIView): error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) else: - if username != owner: + if username != owner and \ + not check_share_dtable_permission(dtable, username): error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) @@ -354,7 +358,8 @@ class DTableView(APIView): error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) else: - if username != owner: + if username != owner and \ + check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE: error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) @@ -426,7 +431,8 @@ class DTableView(APIView): error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) else: - if username != owner: + if username != owner and \ + check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE: error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) @@ -508,7 +514,8 @@ class DTableUpdateLinkView(APIView): error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) else: - if username != owner: + if username != owner and \ + check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE: error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) @@ -562,7 +569,8 @@ class DTableAssetUploadLinkView(APIView): # permission check username = request.user.username owner = workspace.owner - if username != owner: + if username != owner and \ + check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE: error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) @@ -623,7 +631,8 @@ def dtable_file_view(request, workspace_id, name): error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) else: - if username != owner: + if username != owner and \ + not check_share_dtable_permission(dtable, username): error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) @@ -672,7 +681,8 @@ def dtable_asset_access(request, workspace_id, dtable_id, path): # permission check username = request.user.username owner = workspace.owner - if username != owner: + if username != owner and \ + check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE: return render_permission_error(request, 'Permission denied.') token = seafile_api.get_fileserver_access_token(repo_id, asset_id, 'view', diff --git a/seahub/dtable/utils.py b/seahub/dtable/utils.py new file mode 100644 index 0000000000..b67b42cad2 --- /dev/null +++ b/seahub/dtable/utils.py @@ -0,0 +1,9 @@ +from seahub.dtable.models import ShareDTable + + +def check_share_dtable_permission(dtable, to_user): + share_dtable_obj = ShareDTable.objects.get_by_dtable_and_to_user(dtable, to_user) + if share_dtable_obj: + return share_dtable_obj.permission + + return None diff --git a/tests/seahub/dtable/test_api.py b/tests/seahub/dtable/test_api.py index 06910d3e90..d3a2260b2a 100644 --- a/tests/seahub/dtable/test_api.py +++ b/tests/seahub/dtable/test_api.py @@ -6,6 +6,12 @@ from seaserv import seafile_api from seahub.test_utils import BaseTestCase from seahub.base.templatetags.seahub_tags import email2nickname +from tests.common.utils import randstring + +try: + from seahub.settings import LOCAL_PRO_DEV_ENV +except ImportError: + LOCAL_PRO_DEV_ENV = False class ShareDTablesViewTest(BaseTestCase): @@ -142,6 +148,9 @@ class ShareDTableViewTest(BaseTestCase): self.assertEqual(400, resp.status_code) def test_can_not_post_with_share_to_org_user(self): + if not LOCAL_PRO_DEV_ENV: + return + assert len(ShareDTable.objects.all()) == 1 ShareDTable.objects.all().delete() assert len(ShareDTable.objects.all()) == 0 @@ -257,10 +266,15 @@ class ShareDTableViewTest(BaseTestCase): self.assertEqual(404, resp.status_code) def test_can_not_delete_with_not_shared_user(self): - self.login_as(self.org_user) + tmp_user = self.create_user( + 'user_%s@test.com' % randstring(4), is_staff=False) + + self.login_as(tmp_user) data = { 'email': self.admin.username, } resp = self.client.delete(self.url, json.dumps(data), 'application/json') self.assertEqual(403, resp.status_code) + + self.remove_user(tmp_user.username)