##// END OF EJS Templates
file-store: implement check-acl permissions.
marcink -
r3674:6a107e97 new-ui
parent child Browse files
Show More
@@ -30,7 +30,7 b' from rhodecode.apps.file_store.exception'
30
30
31 from rhodecode.lib import helpers as h
31 from rhodecode.lib import helpers as h
32 from rhodecode.lib import audit_logger
32 from rhodecode.lib import audit_logger
33 from rhodecode.lib.auth import (CSRFRequired, NotAnonymous)
33 from rhodecode.lib.auth import (CSRFRequired, NotAnonymous, HasRepoPermissionAny, HasRepoGroupPermissionAny)
34 from rhodecode.model.db import Session, FileStore
34 from rhodecode.model.db import Session, FileStore
35
35
36 log = logging.getLogger(__name__)
36 log = logging.getLogger(__name__)
@@ -109,6 +109,35 b' class FileStoreView(BaseAppView):'
109 log.debug('File with FID:%s not found in the store', file_uid)
109 log.debug('File with FID:%s not found in the store', file_uid)
110 raise HTTPNotFound()
110 raise HTTPNotFound()
111
111
112 db_obj = FileStore().query().filter(FileStore.file_uid == file_uid).scalar()
113 if not db_obj:
114 raise HTTPNotFound()
115
116 # private upload for user
117 if db_obj.check_acl and db_obj.scope_user_id:
118 user = db_obj.user
119 if self._rhodecode_db_user.user_id != user.user_id:
120 log.warning('Access to file store object forbidden')
121 raise HTTPNotFound()
122
123 # scoped to repository permissions
124 if db_obj.check_acl and db_obj.scope_repo_id:
125 repo = db_obj.repo
126 perm_set = ['repository.read', 'repository.write', 'repository.admin']
127 has_perm = HasRepoPermissionAny(*perm_set)(repo.repo_name, 'FileStore check')
128 if not has_perm:
129 log.warning('Access to file store object forbidden')
130 raise HTTPNotFound()
131
132 # scoped to repository group permissions
133 if db_obj.check_acl and db_obj.scope_repo_group_id:
134 repo_group = db_obj.repo_group
135 perm_set = ['group.read', 'group.write', 'group.admin']
136 has_perm = HasRepoGroupPermissionAny(*perm_set)(repo_group.group_name, 'FileStore check')
137 if not has_perm:
138 log.warning('Access to file store object forbidden')
139 raise HTTPNotFound()
140
112 FileStore.bump_access_counter(file_uid)
141 FileStore.bump_access_counter(file_uid)
113
142
114 file_path = self.storage.store_path(file_uid)
143 file_path = self.storage.store_path(file_uid)
@@ -4953,8 +4953,8 b' class FileStore(Base, BaseModel):'
4953
4953
4954 @classmethod
4954 @classmethod
4955 def create(cls, file_uid, filename, file_hash, file_size, file_display_name='',
4955 def create(cls, file_uid, filename, file_hash, file_size, file_display_name='',
4956 file_description='', enabled=True, check_acl=True,
4956 file_description='', enabled=True, check_acl=True, user_id=None,
4957 user_id=None, scope_repo_id=None, scope_repo_group_id=None):
4957 scope_user_id=None, scope_repo_id=None, scope_repo_group_id=None):
4958
4958
4959 store_entry = FileStore()
4959 store_entry = FileStore()
4960 store_entry.file_uid = file_uid
4960 store_entry.file_uid = file_uid
@@ -4968,6 +4968,7 b' class FileStore(Base, BaseModel):'
4968 store_entry.enabled = enabled
4968 store_entry.enabled = enabled
4969
4969
4970 store_entry.user_id = user_id
4970 store_entry.user_id = user_id
4971 store_entry.scope_user_id = scope_user_id
4971 store_entry.scope_repo_id = scope_repo_id
4972 store_entry.scope_repo_id = scope_repo_id
4972 store_entry.scope_repo_group_id = scope_repo_group_id
4973 store_entry.scope_repo_group_id = scope_repo_group_id
4973 return store_entry
4974 return store_entry
General Comments 0
You need to be logged in to leave comments. Login now