share dtable update rw permission

seahub/api2/endpoints/dtable.py

@@ -29,12 +29,15 @@ from seahub.views.file import send_file_access_msg
 from seahub.auth.decorators import login_required
 from seahub.settings import MAX_UPLOAD_FILE_NAME_LEN, SHARE_LINK_EXPIRE_DAYS_MIN, \
      SHARE_LINK_EXPIRE_DAYS_MAX, SHARE_LINK_EXPIRE_DAYS_DEFAULT
+from seahub.dtable.utils import check_share_dtable_permission
+from seahub.constants import PERMISSION_ADMIN, PERMISSION_READ_WRITE
 
 
 logger = logging.getLogger(__name__)
 
 
 FILE_TYPE = '.dtable'
+WRITE_PERMISSION_TUPLE = (PERMISSION_READ_WRITE, PERMISSION_ADMIN)
 
 
 class WorkspacesView(APIView):
@@ -287,7 +290,8 @@ class DTableView(APIView):
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
         else:
-            if username != owner:
+            if username != owner and \
+                    not check_share_dtable_permission(dtable, username):
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -354,7 +358,8 @@ class DTableView(APIView):
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
         else:
-            if username != owner:
+            if username != owner and \
+                    check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -426,7 +431,8 @@ class DTableView(APIView):
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
         else:
-            if username != owner:
+            if username != owner and \
+                    check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -508,7 +514,8 @@ class DTableUpdateLinkView(APIView):
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
         else:
-            if username != owner:
+            if username != owner and \
+                    check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -562,7 +569,8 @@ class DTableAssetUploadLinkView(APIView):
         # permission check
         username = request.user.username
         owner = workspace.owner
-        if username != owner:
+        if username != owner and \
+                check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -623,7 +631,8 @@ def dtable_file_view(request, workspace_id, name):
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
     else:
-        if username != owner:
+        if username != owner and \
+                not check_share_dtable_permission(dtable, username):
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -672,7 +681,8 @@ def dtable_asset_access(request, workspace_id, dtable_id, path):
     # permission check
     username = request.user.username
     owner = workspace.owner
-    if username != owner:
+    if username != owner and \
+            check_share_dtable_permission(dtable, username) not in WRITE_PERMISSION_TUPLE:
         return render_permission_error(request, 'Permission denied.')
 
     token = seafile_api.get_fileserver_access_token(repo_id, asset_id, 'view',

seahub/dtable/utils.py

@@ -0,0 +1,9 @@
+from seahub.dtable.models import ShareDTable
+
+
+def check_share_dtable_permission(dtable, to_user):
+    share_dtable_obj = ShareDTable.objects.get_by_dtable_and_to_user(dtable, to_user)
+    if share_dtable_obj:
+        return share_dtable_obj.permission
+
+    return None

tests/seahub/dtable/test_api.py

@@ -6,6 +6,12 @@ from seaserv import seafile_api
 
 from seahub.test_utils import BaseTestCase
 from seahub.base.templatetags.seahub_tags import email2nickname
+from tests.common.utils import randstring
+
+try:
+    from seahub.settings import LOCAL_PRO_DEV_ENV
+except ImportError:
+    LOCAL_PRO_DEV_ENV = False
 
 
 class ShareDTablesViewTest(BaseTestCase):
@@ -142,6 +148,9 @@ class ShareDTableViewTest(BaseTestCase):
         self.assertEqual(400, resp.status_code)
 
     def test_can_not_post_with_share_to_org_user(self):
+        if not LOCAL_PRO_DEV_ENV:
+            return
+
         assert len(ShareDTable.objects.all()) == 1
         ShareDTable.objects.all().delete()
         assert len(ShareDTable.objects.all()) == 0
@@ -257,10 +266,15 @@ class ShareDTableViewTest(BaseTestCase):
         self.assertEqual(404, resp.status_code)
 
     def test_can_not_delete_with_not_shared_user(self):
-        self.login_as(self.org_user)
+        tmp_user = self.create_user(
+            'user_%s@test.com' % randstring(4), is_staff=False)
+
+        self.login_as(tmp_user)
 
         data = {
             'email': self.admin.username,
         }
         resp = self.client.delete(self.url, json.dumps(data), 'application/json')
         self.assertEqual(403, resp.status_code)
+
+        self.remove_user(tmp_user.username)