diff --git a/seahub/api2/views.py b/seahub/api2/views.py index 30a612418b..4bc025f3e8 100644 --- a/seahub/api2/views.py +++ b/seahub/api2/views.py @@ -4415,26 +4415,54 @@ class RepoUserFolderPerm(APIView): error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) - @api_repo_user_folder_perm_check def delete(self, request, repo_id, format=None): - if not (is_pro_version() and ENABLE_FOLDER_PERM): + # argument check + user = request.data.get('user_email', None) + path = request.data.get('folder_path', None) + + if not user: + error_msg = 'user_email invalid.' + return api_error(status.HTTP_400_BAD_REQUEST, error_msg) + + if not path: + error_msg = 'folder_path invalid.' + return api_error(status.HTTP_400_BAD_REQUEST, error_msg) + + # resource check + repo = seafile_api.get_repo(repo_id) + if not repo: + error_msg = 'Library %s not found.' % repo_id + return api_error(status.HTTP_404_NOT_FOUND, error_msg) + + try: + User.objects.get(email=user) + except User.DoesNotExist: + error_msg = 'User %s not found.' % user + return api_error(status.HTTP_404_NOT_FOUND, error_msg) + + # permission check + if is_org_context(request): + repo_owner = seafile_api.get_org_repo_owner(repo_id) + else: + repo_owner = seafile_api.get_repo_owner(repo_id) + + username = request.user.username + if not (is_pro_version() and ENABLE_FOLDER_PERM) or \ + repo.is_virtual or username != repo_owner: error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) - user = request.data.get('user_email') - path = request.data.get('folder_path') + # delete permission path = path.rstrip('/') if path != '/' else path - permission = seafile_api.get_folder_user_perm(repo_id, path, user) if not permission: return Response({'success': True}) - username = request.user.username try: seafile_api.rm_folder_user_perm(repo_id, path, user) send_perm_audit_msg('delete-repo-perm', username, - user, repo_id, path, permission) + user, repo_id, path, permission) return Response({'success': True}) except SearpcError as e: logger.error(e) @@ -4541,23 +4569,54 @@ class RepoGroupFolderPerm(APIView): error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) - @api_repo_group_folder_perm_check def delete(self, request, repo_id, format=None): - if not (is_pro_version() and ENABLE_FOLDER_PERM): + # arguments check + group_id = request.data.get('group_id', None) + path = request.data.get('folder_path', None) + + if not group_id: + error_msg = 'group_id invalid.' + return api_error(status.HTTP_400_BAD_REQUEST, error_msg) + + if not path: + error_msg = 'folder_path invalid.' + return api_error(status.HTTP_400_BAD_REQUEST, error_msg) + + try: + group_id = int(group_id) + except ValueError: + error_msg = 'group_id invalid.' + return api_error(status.HTTP_400_BAD_REQUEST, error_msg) + + # resource check + if not ccnet_api.get_group(group_id): + error_msg = 'Group %s not found.' % group_id + return api_error(status.HTTP_404_NOT_FOUND, error_msg) + + repo = seafile_api.get_repo(repo_id) + if not repo: + error_msg = 'Library %s not found.' % repo_id + return api_error(status.HTTP_404_NOT_FOUND, error_msg) + + # permission check + if is_org_context(request): + repo_owner = seafile_api.get_org_repo_owner(repo_id) + else: + repo_owner = seafile_api.get_repo_owner(repo_id) + + username = request.user.username + if not (is_pro_version() and ENABLE_FOLDER_PERM) or \ + repo.is_virtual or username != repo_owner: error_msg = 'Permission denied.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) - group_id = request.data.get('group_id') - path = request.data.get('folder_path') - group_id = int(group_id) + # delete permission path = path.rstrip('/') if path != '/' else path - permission = seafile_api.get_folder_group_perm(repo_id, path, group_id) if not permission: return Response({'success': True}) - username = request.user.username try: seafile_api.rm_folder_group_perm(repo_id, path, group_id) send_perm_audit_msg('delete-repo-perm', username, group_id, diff --git a/tests/api/test_repo_group_folder_perm.py b/tests/api/test_repo_group_folder_perm.py index c0e40c3c5a..a29d5f78fb 100644 --- a/tests/api/test_repo_group_folder_perm.py +++ b/tests/api/test_repo_group_folder_perm.py @@ -180,33 +180,6 @@ class RepoGroupFolderPermTest(BaseTestCase): resp = self.client.delete(url, data, 'application/x-www-form-urlencoded') self.assertEqual(403, resp.status_code) - def test_invalid_path(self): - self.login_as(self.user) - - invalid_path = randstring(6) - - # test delete - url = reverse("api2-repo-group-folder-perm", args=[self.user_repo_id]) - data = 'group_id=%s&folder_path=%s' % (self.group_id, invalid_path) - resp = self.client.delete(url, data, 'application/x-www-form-urlencoded') - self.assertEqual(404, resp.status_code) - - # test modify - url = reverse("api2-repo-group-folder-perm", args=[self.user_repo_id]) - data = 'group_id=%s&folder_path=%s&permission=%s' % (self.group_id, invalid_path, self.perm_rw) - resp = self.client.put(url, data, 'application/x-www-form-urlencoded') - self.assertEqual(404, resp.status_code) - - # test add - url = reverse("api2-repo-group-folder-perm", args=[self.user_repo_id]) - data = { - "group_id": self.group_id, - "folder_path": invalid_path, - "permission": self.perm_rw - } - resp = self.client.post(url, data) - self.assertEqual(404, resp.status_code) - def test_invalid_group(self): self.login_as(self.user) diff --git a/tests/api/test_repo_user_folder_perm.py b/tests/api/test_repo_user_folder_perm.py index a52d9a4b3d..b7dfc63c2c 100644 --- a/tests/api/test_repo_user_folder_perm.py +++ b/tests/api/test_repo_user_folder_perm.py @@ -179,33 +179,6 @@ class RepoUserFolderPermTest(BaseTestCase): resp = self.client.delete(url, data, 'application/x-www-form-urlencoded') self.assertEqual(403, resp.status_code) - def test_invalid_path(self): - self.login_as(self.user) - - invalid_path = randstring(6) - - # test add - url = reverse("api2-repo-user-folder-perm", args=[self.user_repo_id]) - data = { - "user_email": self.admin_email, - "folder_path": invalid_path, - "permission": self.perm_rw - } - resp = self.client.post(url, data) - self.assertEqual(404, resp.status_code) - - # test modify - url = reverse("api2-repo-user-folder-perm", args=[self.user_repo_id]) - data = 'user_email=%s&folder_path=%s&permission=%s' % (self.admin_email, invalid_path, self.perm_rw) - resp = self.client.put(url, data, 'application/x-www-form-urlencoded') - self.assertEqual(404, resp.status_code) - - # test delete - url = reverse("api2-repo-user-folder-perm", args=[self.user_repo_id]) - data = 'user_email=%s&folder_path=%s' % (self.admin_email, invalid_path) - resp = self.client.delete(url, data, 'application/x-www-form-urlencoded') - self.assertEqual(404, resp.status_code) - def test_invalid_user(self): self.login_as(self.user)