oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move file modification permission check to separate function

Browse source
This commit is contained in:
shortcutme 2018-03-20 21:55:12 +01:00
parent 6b926b12a4
commit 11d8485399
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 8 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
src/Ui/UiWebsocket.py
View file

@ -165,6 +165,10 @@ class UiWebsocket(object):
else: else:
return True return True
def hasFilePermission(self, inner_path):
valid_signers = self.site.content_manager.getValidSigners(inner_path)
return self.site.settings["own"] or self.user.getAuthAddress(self.site.address) in valid_signers
# Event in a channel # Event in a channel
def event(self, channel, *params): def event(self, channel, *params):
if channel in self.channels: # We are joined to channel if channel in self.channels: # We are joined to channel
@ -385,10 +389,7 @@ class UiWebsocket(object):
extend["cert_user_id"] = self.user.getCertUserId(site.address) extend["cert_user_id"] = self.user.getCertUserId(site.address)
extend["cert_sign"] = cert["cert_sign"] extend["cert_sign"] = cert["cert_sign"]
if ( if not self.hasFilePermission(inner_path):
not site.settings["own"] and
self.user.getAuthAddress(self.site.address) not in self.site.content_manager.getValidSigners(inner_path)
):
self.log.error("SiteSign error: you don't own this site & site owner doesn't allow you to do so.") self.log.error("SiteSign error: you don't own this site & site owner doesn't allow you to do so.")
return self.response(to, {"error": "Forbidden, you can only modify your own sites"}) return self.response(to, {"error": "Forbidden, you can only modify your own sites"})
@ -402,7 +403,7 @@ class UiWebsocket(object):
site.content_manager.loadContent(inner_path, add_bad_files=False, force=True) site.content_manager.loadContent(inner_path, add_bad_files=False, force=True)
# Sign using private key sent by user # Sign using private key sent by user
try: try:
signed = site.content_manager.sign(inner_path, privatekey, extend=extend, update_changed_files=update_changed_files, remove_missing_optional=remove_missing_optional) site.content_manager.sign(inner_path, privatekey, extend=extend, update_changed_files=update_changed_files, remove_missing_optional=remove_missing_optional)
except (VerifyError, SignError) as err: except (VerifyError, SignError) as err:
self.cmd("notification", ["error", _["Content signing failed"] + "<br><small>%s</small>" % err]) self.cmd("notification", ["error", _["Content signing failed"] + "<br><small>%s</small>" % err])
self.response(to, {"error": "Site sign failed: %s" % err}) self.response(to, {"error": "Site sign failed: %s" % err})
@ -507,7 +508,7 @@ class UiWebsocket(object):
def actionFileWrite(self, to, inner_path, content_base64, ignore_bad_files=False): def actionFileWrite(self, to, inner_path, content_base64, ignore_bad_files=False):
valid_signers = self.site.content_manager.getValidSigners(inner_path) valid_signers = self.site.content_manager.getValidSigners(inner_path)
auth_address = self.user.getAuthAddress(self.site.address) auth_address = self.user.getAuthAddress(self.site.address)
if not self.site.settings["own"] and auth_address not in valid_signers: if not self.hasFilePermission(inner_path):
self.log.error("FileWrite forbidden %s not in valid_signers %s" % (auth_address, valid_signers)) self.log.error("FileWrite forbidden %s not in valid_signers %s" % (auth_address, valid_signers))
return self.response(to, {"error": "Forbidden, you can only modify your own files"}) return self.response(to, {"error": "Forbidden, you can only modify your own files"})
@ -555,10 +556,7 @@ class UiWebsocket(object):
ws.event("siteChanged", self.site, {"event": ["file_done", inner_path]}) ws.event("siteChanged", self.site, {"event": ["file_done", inner_path]})
def actionFileDelete(self, to, inner_path): def actionFileDelete(self, to, inner_path):
if ( if not self.hasFilePermission(inner_path):
not self.site.settings["own"] and
self.user.getAuthAddress(self.site.address) not in self.site.content_manager.getValidSigners(inner_path)
):
self.log.error("File delete error: you don't own this site & you are not approved by the owner.") self.log.error("File delete error: you don't own this site & you are not approved by the owner.")
return self.response(to, {"error": "Forbidden, you can only modify your own files"}) return self.response(to, {"error": "Forbidden, you can only modify your own files"})