# HG changeset patch # User Marcin Kuzminski # Date 2019-05-14 21:15:25 # Node ID 6a107e97b909db540aaf396d5c4dfd9d4572e3d3 # Parent e5aaaa0f929390a38b1d436f6ee2cc600d7c808a file-store: implement check-acl permissions. diff --git a/rhodecode/apps/file_store/views.py b/rhodecode/apps/file_store/views.py --- a/rhodecode/apps/file_store/views.py +++ b/rhodecode/apps/file_store/views.py @@ -30,7 +30,7 @@ from rhodecode.apps.file_store.exception from rhodecode.lib import helpers as h from rhodecode.lib import audit_logger -from rhodecode.lib.auth import (CSRFRequired, NotAnonymous) +from rhodecode.lib.auth import (CSRFRequired, NotAnonymous, HasRepoPermissionAny, HasRepoGroupPermissionAny) from rhodecode.model.db import Session, FileStore log = logging.getLogger(__name__) @@ -109,6 +109,35 @@ class FileStoreView(BaseAppView): log.debug('File with FID:%s not found in the store', file_uid) raise HTTPNotFound() + db_obj = FileStore().query().filter(FileStore.file_uid == file_uid).scalar() + if not db_obj: + raise HTTPNotFound() + + # private upload for user + if db_obj.check_acl and db_obj.scope_user_id: + user = db_obj.user + if self._rhodecode_db_user.user_id != user.user_id: + log.warning('Access to file store object forbidden') + raise HTTPNotFound() + + # scoped to repository permissions + if db_obj.check_acl and db_obj.scope_repo_id: + repo = db_obj.repo + perm_set = ['repository.read', 'repository.write', 'repository.admin'] + has_perm = HasRepoPermissionAny(*perm_set)(repo.repo_name, 'FileStore check') + if not has_perm: + log.warning('Access to file store object forbidden') + raise HTTPNotFound() + + # scoped to repository group permissions + if db_obj.check_acl and db_obj.scope_repo_group_id: + repo_group = db_obj.repo_group + perm_set = ['group.read', 'group.write', 'group.admin'] + has_perm = HasRepoGroupPermissionAny(*perm_set)(repo_group.group_name, 'FileStore check') + if not has_perm: + log.warning('Access to file store object forbidden') + raise HTTPNotFound() + FileStore.bump_access_counter(file_uid) file_path = self.storage.store_path(file_uid) diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py --- a/rhodecode/model/db.py +++ b/rhodecode/model/db.py @@ -4953,8 +4953,8 @@ class FileStore(Base, BaseModel): @classmethod def create(cls, file_uid, filename, file_hash, file_size, file_display_name='', - file_description='', enabled=True, check_acl=True, - user_id=None, scope_repo_id=None, scope_repo_group_id=None): + file_description='', enabled=True, check_acl=True, user_id=None, + scope_user_id=None, scope_repo_id=None, scope_repo_group_id=None): store_entry = FileStore() store_entry.file_uid = file_uid @@ -4968,6 +4968,7 @@ class FileStore(Base, BaseModel): store_entry.enabled = enabled store_entry.user_id = user_id + store_entry.scope_user_id = scope_user_id store_entry.scope_repo_id = scope_repo_id store_entry.scope_repo_group_id = scope_repo_group_id return store_entry