rhodecode-enterprise-ce Commit - r3674:6a107e97

file-store: implement check-acl permissions.

marcink -

r3674:6a107e97 new-ui

parent child

rhodecode/apps/file_store/views.py

0 +30 -1

              from rhodecode.lib import helpers as h
              from rhodecode.lib import audit_logger
-             from rhodecode.lib.auth import (CSRFRequired, NotAnonymous)
+             from rhodecode.lib.auth import (CSRFRequired, NotAnonymous, HasRepoPermissionAny, HasRepoGroupPermissionAny)
              from rhodecode.model.db import Session, FileStore
              log = logging.getLogger(__name__)
                          log.debug('File with FID:%s not found in the store', file_uid)
                          raise HTTPNotFound()
+                     db_obj = FileStore().query().filter(FileStore.file_uid == file_uid).scalar()
+                     if not db_obj:
+                         raise HTTPNotFound()
+                     # private upload for user
+                     if db_obj.check_acl and db_obj.scope_user_id:
+                         user = db_obj.user
+                         if self._rhodecode_db_user.user_id != user.user_id:
+                             log.warning('Access to file store object forbidden')
+                             raise HTTPNotFound()
+                     # scoped to repository permissions
+                     if db_obj.check_acl and db_obj.scope_repo_id:
+                         repo = db_obj.repo
+                         perm_set = ['repository.read', 'repository.write', 'repository.admin']
+                         has_perm = HasRepoPermissionAny(*perm_set)(repo.repo_name, 'FileStore check')
+                         if not has_perm:
+                             log.warning('Access to file store object forbidden')
+                             raise HTTPNotFound()
+                     # scoped to repository group permissions
+                     if db_obj.check_acl and db_obj.scope_repo_group_id:
+                         repo_group = db_obj.repo_group
+                         perm_set = ['group.read', 'group.write', 'group.admin']
+                         has_perm = HasRepoGroupPermissionAny(*perm_set)(repo_group.group_name, 'FileStore check')
+                         if not has_perm:
+                             log.warning('Access to file store object forbidden')
+                             raise HTTPNotFound()
                      FileStore.bump_access_counter(file_uid)
                      file_path = self.storage.store_path(file_uid)

rhodecode/model/db.py

0 +3 -2

                  @classmethod
                  def create(cls, file_uid, filename, file_hash, file_size, file_display_name='',
-                            file_description='', enabled=True, check_acl=True,
-                            user_id=None, scope_repo_id=None, scope_repo_group_id=None):
+                            file_description='', enabled=True, check_acl=True, user_id=None,
+                            scope_user_id=None, scope_repo_id=None, scope_repo_group_id=None):
                      store_entry = FileStore()
                      store_entry.file_uid = file_uid
                      store_entry.enabled = enabled
                      store_entry.user_id = user_id
+                     store_entry.scope_user_id = scope_user_id
                      store_entry.scope_repo_id = scope_repo_id
                      store_entry.scope_repo_group_id = scope_repo_group_id
                      return store_entry

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages