Procházet zdrojové kódy

disallow moving file at root for workspace

Guénaël Muller před 6 roky
rodič
revize
100e39172c
1 změnil soubory, kde provedl 17 přidání a 0 odebrání
  1. 17 0
      tracim/tracim/lib/webdav/sql_resources.py

+ 17 - 0
tracim/tracim/lib/webdav/sql_resources.py Zobrazit soubor

@@ -160,6 +160,10 @@ class Workspace(DAVCollection):
160 160
 
161 161
         self._file_count = 0
162 162
 
163
+        # FIXME : Remove this regex when tracim become
164
+        # able to deal with file at root of workspace
165
+        self._subfolder_regex = re.compile('^{}[^/]*$'.format(environ['http_authenticator.realm']))  # nopep8
166
+
163 167
     def __repr__(self) -> str:
164 168
         return "<DAVCollection: Workspace (%d)>" % self.workspace.workspace_id
165 169
 
@@ -215,6 +219,12 @@ class Workspace(DAVCollection):
215 219
         if resource:
216 220
             content = resource.content
217 221
 
222
+        # FIXME : Remove this regex when tracim become
223
+        # able to deal with file at root of workspace
224
+        if self._subfolder_regex.match(dirname(path)):
225
+            raise DAVError(HTTP_FORBIDDEN)
226
+
227
+
218 228
         return FakeFileStream(
219 229
             file_name=file_name,
220 230
             content_api=self.content_api,
@@ -399,6 +409,7 @@ class Folder(Workspace):
399 409
             invalid_path = invalid_path or any(x in self.path for x in ['.deleted', '.archived'])
400 410
             invalid_path = invalid_path or dirname(destpath) == self.environ['http_authenticator.realm']
401 411
 
412
+
402 413
             if not invalid_path:
403 414
                 self.move_folder(destpath)
404 415
 
@@ -833,6 +844,9 @@ class File(DAVNonCollection):
833 844
         self.content = content
834 845
         self.user = UserApi(None).get_one_by_email(environ['http_authenticator.username'])
835 846
         self.content_api = ContentApi(self.user)
847
+        # FIXME : Remove this regex when tracim become
848
+        # able to deal with file at root of workspace
849
+        self._subfolder_regex = re.compile('^{}[^/]*$'.format(environ['http_authenticator.realm']))  # nopep8
836 850
 
837 851
         # this is the property that windows client except to check if the file is read-write or read-only,
838 852
         # but i wasn't able to set this property so you'll have to look into it >.>
@@ -915,6 +929,9 @@ class File(DAVNonCollection):
915 929
             invalid_path = any(x in destpath for x in ['.deleted', '.archived'])
916 930
             invalid_path = invalid_path or any(x in self.path for x in ['.deleted', '.archived'])
917 931
             invalid_path = invalid_path or dirname(destpath) == self.environ['http_authenticator.realm']
932
+            # FIXME : Remove this regex when tracim become
933
+            # able to deal with file at root of workspace
934
+            invalid_path = invalid_path or self._subfolder_regex.match(dirname(destpath))
918 935
 
919 936
             if not invalid_path:
920 937
                 self.move_file(destpath)