Browse Source

disallow moving file at root for workspace

Guénaël Muller 6 years ago
parent
commit
100e39172c
1 changed files with 17 additions and 0 deletions
  1. 17 0
      tracim/tracim/lib/webdav/sql_resources.py

+ 17 - 0
tracim/tracim/lib/webdav/sql_resources.py View File

160
 
160
 
161
         self._file_count = 0
161
         self._file_count = 0
162
 
162
 
163
+        # FIXME : Remove this regex when tracim become
164
+        # able to deal with file at root of workspace
165
+        self._subfolder_regex = re.compile('^{}[^/]*$'.format(environ['http_authenticator.realm']))  # nopep8
166
+
163
     def __repr__(self) -> str:
167
     def __repr__(self) -> str:
164
         return "<DAVCollection: Workspace (%d)>" % self.workspace.workspace_id
168
         return "<DAVCollection: Workspace (%d)>" % self.workspace.workspace_id
165
 
169
 
215
         if resource:
219
         if resource:
216
             content = resource.content
220
             content = resource.content
217
 
221
 
222
+        # FIXME : Remove this regex when tracim become
223
+        # able to deal with file at root of workspace
224
+        if self._subfolder_regex.match(dirname(path)):
225
+            raise DAVError(HTTP_FORBIDDEN)
226
+
227
+
218
         return FakeFileStream(
228
         return FakeFileStream(
219
             file_name=file_name,
229
             file_name=file_name,
220
             content_api=self.content_api,
230
             content_api=self.content_api,
399
             invalid_path = invalid_path or any(x in self.path for x in ['.deleted', '.archived'])
409
             invalid_path = invalid_path or any(x in self.path for x in ['.deleted', '.archived'])
400
             invalid_path = invalid_path or dirname(destpath) == self.environ['http_authenticator.realm']
410
             invalid_path = invalid_path or dirname(destpath) == self.environ['http_authenticator.realm']
401
 
411
 
412
+
402
             if not invalid_path:
413
             if not invalid_path:
403
                 self.move_folder(destpath)
414
                 self.move_folder(destpath)
404
 
415
 
833
         self.content = content
844
         self.content = content
834
         self.user = UserApi(None).get_one_by_email(environ['http_authenticator.username'])
845
         self.user = UserApi(None).get_one_by_email(environ['http_authenticator.username'])
835
         self.content_api = ContentApi(self.user)
846
         self.content_api = ContentApi(self.user)
847
+        # FIXME : Remove this regex when tracim become
848
+        # able to deal with file at root of workspace
849
+        self._subfolder_regex = re.compile('^{}[^/]*$'.format(environ['http_authenticator.realm']))  # nopep8
836
 
850
 
837
         # this is the property that windows client except to check if the file is read-write or read-only,
851
         # this is the property that windows client except to check if the file is read-write or read-only,
838
         # but i wasn't able to set this property so you'll have to look into it >.>
852
         # but i wasn't able to set this property so you'll have to look into it >.>
915
             invalid_path = any(x in destpath for x in ['.deleted', '.archived'])
929
             invalid_path = any(x in destpath for x in ['.deleted', '.archived'])
916
             invalid_path = invalid_path or any(x in self.path for x in ['.deleted', '.archived'])
930
             invalid_path = invalid_path or any(x in self.path for x in ['.deleted', '.archived'])
917
             invalid_path = invalid_path or dirname(destpath) == self.environ['http_authenticator.realm']
931
             invalid_path = invalid_path or dirname(destpath) == self.environ['http_authenticator.realm']
932
+            # FIXME : Remove this regex when tracim become
933
+            # able to deal with file at root of workspace
934
+            invalid_path = invalid_path or self._subfolder_regex.match(dirname(destpath))
918
 
935
 
919
             if not invalid_path:
936
             if not invalid_path:
920
                 self.move_file(destpath)
937
                 self.move_file(destpath)