# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2019-05-14 21:15:25
# Node ID 6a107e97b909db540aaf396d5c4dfd9d4572e3d3
# Parent  e5aaaa0f929390a38b1d436f6ee2cc600d7c808a

file-store: implement check-acl permissions.

diff --git a/rhodecode/apps/file_store/views.py b/rhodecode/apps/file_store/views.py
--- a/rhodecode/apps/file_store/views.py
+++ b/rhodecode/apps/file_store/views.py
@@ -30,7 +30,7 @@ from rhodecode.apps.file_store.exception
 
 from rhodecode.lib import helpers as h
 from rhodecode.lib import audit_logger
-from rhodecode.lib.auth import (CSRFRequired, NotAnonymous)
+from rhodecode.lib.auth import (CSRFRequired, NotAnonymous, HasRepoPermissionAny, HasRepoGroupPermissionAny)
 from rhodecode.model.db import Session, FileStore
 
 log = logging.getLogger(__name__)
@@ -109,6 +109,35 @@ class FileStoreView(BaseAppView):
             log.debug('File with FID:%s not found in the store', file_uid)
             raise HTTPNotFound()
 
+        db_obj = FileStore().query().filter(FileStore.file_uid == file_uid).scalar()
+        if not db_obj:
+            raise HTTPNotFound()
+
+        # private upload for user
+        if db_obj.check_acl and db_obj.scope_user_id:
+            user = db_obj.user
+            if self._rhodecode_db_user.user_id != user.user_id:
+                log.warning('Access to file store object forbidden')
+                raise HTTPNotFound()
+
+        # scoped to repository permissions
+        if db_obj.check_acl and db_obj.scope_repo_id:
+            repo = db_obj.repo
+            perm_set = ['repository.read', 'repository.write', 'repository.admin']
+            has_perm = HasRepoPermissionAny(*perm_set)(repo.repo_name, 'FileStore check')
+            if not has_perm:
+                log.warning('Access to file store object forbidden')
+                raise HTTPNotFound()
+
+        # scoped to repository group permissions
+        if db_obj.check_acl and db_obj.scope_repo_group_id:
+            repo_group = db_obj.repo_group
+            perm_set = ['group.read', 'group.write', 'group.admin']
+            has_perm = HasRepoGroupPermissionAny(*perm_set)(repo_group.group_name, 'FileStore check')
+            if not has_perm:
+                log.warning('Access to file store object forbidden')
+                raise HTTPNotFound()
+
         FileStore.bump_access_counter(file_uid)
 
         file_path = self.storage.store_path(file_uid)
diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py
--- a/rhodecode/model/db.py
+++ b/rhodecode/model/db.py
@@ -4953,8 +4953,8 @@ class FileStore(Base, BaseModel):
 
     @classmethod
     def create(cls, file_uid, filename, file_hash, file_size, file_display_name='',
-               file_description='', enabled=True, check_acl=True,
-               user_id=None, scope_repo_id=None, scope_repo_group_id=None):
+               file_description='', enabled=True, check_acl=True, user_id=None,
+               scope_user_id=None, scope_repo_id=None, scope_repo_group_id=None):
 
         store_entry = FileStore()
         store_entry.file_uid = file_uid
@@ -4968,6 +4968,7 @@ class FileStore(Base, BaseModel):
         store_entry.enabled = enabled
 
         store_entry.user_id = user_id
+        store_entry.scope_user_id = scope_user_id
         store_entry.scope_repo_id = scope_repo_id
         store_entry.scope_repo_group_id = scope_repo_group_id
         return store_entry