mirror of
https://github.com/filebrowser/filebrowser.git
synced 2026-01-23 02:35:10 +00:00
fix: drop modify permission for uploading new file (#5270)
This commit is contained in:
Ramires Viana
GitHub
parent
7c716862c1
commit
0f27c91eca
7 changed files with 197 additions and 66 deletions
|
|
@ -69,7 +69,7 @@ func NewHandler(
|
|||
api.PathPrefix("/tus").Handler(monkey(tusPostHandler(), "/api/tus")).Methods("POST")
|
||||
api.PathPrefix("/tus").Handler(monkey(tusHeadHandler(), "/api/tus")).Methods("HEAD", "GET")
|
||||
api.PathPrefix("/tus").Handler(monkey(tusPatchHandler(), "/api/tus")).Methods("PATCH")
|
||||
api.PathPrefix("/tus").Handler(monkey(resourceDeleteHandler(fileCache), "/api/tus")).Methods("DELETE")
|
||||
api.PathPrefix("/tus").Handler(monkey(tusDeleteHandler(), "/api/tus")).Methods("DELETE")
|
||||
|
||||
api.PathPrefix("/usage").Handler(monkey(diskUsage, "/api/usage")).Methods("GET")
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package http
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
|
|
@ -8,14 +9,76 @@ import (
|
|||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/jellydator/ttlcache/v3"
|
||||
"github.com/spf13/afero"
|
||||
|
||||
"github.com/filebrowser/filebrowser/v2/files"
|
||||
)
|
||||
|
||||
const maxUploadWait = 3 * time.Minute
|
||||
|
||||
// Tracks active uploads along with their respective upload lengths
|
||||
var activeUploads = initActiveUploads()
|
||||
|
||||
func initActiveUploads() *ttlcache.Cache[string, int64] {
|
||||
cache := ttlcache.New[string, int64]()
|
||||
cache.OnEviction(func(_ context.Context, reason ttlcache.EvictionReason, item *ttlcache.Item[string, int64]) {
|
||||
if reason == ttlcache.EvictionReasonExpired {
|
||||
fmt.Printf("deleting incomplete upload file: \"%s\"", item.Key())
|
||||
os.Remove(item.Key())
|
||||
}
|
||||
})
|
||||
go cache.Start()
|
||||
|
||||
return cache
|
||||
}
|
||||
|
||||
func registerUpload(filePath string, fileSize int64) {
|
||||
activeUploads.Set(filePath, fileSize, maxUploadWait)
|
||||
}
|
||||
|
||||
func completeUpload(filePath string) {
|
||||
activeUploads.Delete(filePath)
|
||||
}
|
||||
|
||||
func getActiveUploadLength(filePath string) (int64, error) {
|
||||
item := activeUploads.Get(filePath)
|
||||
if item == nil {
|
||||
return 0, fmt.Errorf("no active upload found for the given path")
|
||||
}
|
||||
|
||||
return item.Value(), nil
|
||||
}
|
||||
|
||||
func keepUploadActive(filePath string) func() {
|
||||
stop := make(chan bool)
|
||||
|
||||
go func() {
|
||||
ticker := time.NewTicker(2 * time.Second)
|
||||
defer ticker.Stop()
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-stop:
|
||||
return
|
||||
case <-ticker.C:
|
||||
activeUploads.Touch(filePath)
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
return func() {
|
||||
close(stop)
|
||||
}
|
||||
}
|
||||
|
||||
func tusPostHandler() handleFunc {
|
||||
return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
|
||||
return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
|
||||
if !d.user.Perm.Create || !d.Check(r.URL.Path) {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
file, err := files.NewFileInfo(&files.FileOptions{
|
||||
Fs: d.user.Fs,
|
||||
Path: r.URL.Path,
|
||||
|
|
@ -26,10 +89,6 @@ func tusPostHandler() handleFunc {
|
|||
})
|
||||
switch {
|
||||
case errors.Is(err, afero.ErrFileNotFound):
|
||||
if !d.user.Perm.Create || !d.Check(r.URL.Path) {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
dirPath := filepath.Dir(r.URL.Path)
|
||||
if _, statErr := d.user.Fs.Stat(dirPath); os.IsNotExist(statErr) {
|
||||
if mkdirErr := d.user.Fs.MkdirAll(dirPath, files.PermDir); mkdirErr != nil {
|
||||
|
|
@ -41,25 +100,55 @@ func tusPostHandler() handleFunc {
|
|||
}
|
||||
|
||||
fileFlags := os.O_CREATE | os.O_WRONLY
|
||||
if r.URL.Query().Get("override") == "true" {
|
||||
fileFlags |= os.O_TRUNC
|
||||
}
|
||||
|
||||
// if file exists
|
||||
if file != nil {
|
||||
if file.IsDir {
|
||||
return http.StatusBadRequest, fmt.Errorf("cannot upload to a directory %s", file.RealPath())
|
||||
}
|
||||
|
||||
// Existing files will remain untouched unless explicitly instructed to override
|
||||
if r.URL.Query().Get("override") != "true" {
|
||||
return http.StatusConflict, nil
|
||||
}
|
||||
|
||||
// Permission for overwriting the file
|
||||
if !d.user.Perm.Modify {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
fileFlags |= os.O_TRUNC
|
||||
}
|
||||
|
||||
openFile, err := d.user.Fs.OpenFile(r.URL.Path, fileFlags, files.PermFile)
|
||||
if err != nil {
|
||||
return errToStatus(err), err
|
||||
}
|
||||
if err := openFile.Close(); err != nil {
|
||||
defer openFile.Close()
|
||||
|
||||
file, err = files.NewFileInfo(&files.FileOptions{
|
||||
Fs: d.user.Fs,
|
||||
Path: r.URL.Path,
|
||||
Modify: d.user.Perm.Modify,
|
||||
Expand: false,
|
||||
ReadHeader: false,
|
||||
Checker: d,
|
||||
Content: false,
|
||||
})
|
||||
if err != nil {
|
||||
return errToStatus(err), err
|
||||
}
|
||||
|
||||
uploadLength, err := getUploadLength(r)
|
||||
if err != nil {
|
||||
return http.StatusBadRequest, fmt.Errorf("invalid upload length: %w", err)
|
||||
}
|
||||
|
||||
// Enables the user to utilize the PATCH endpoint for uploading file data
|
||||
registerUpload(file.RealPath(), uploadLength)
|
||||
|
||||
w.Header().Set("Location", "/api/tus/"+r.URL.Path)
|
||||
|
||||
return http.StatusCreated, nil
|
||||
})
|
||||
}
|
||||
|
|
@ -67,7 +156,7 @@ func tusPostHandler() handleFunc {
|
|||
func tusHeadHandler() handleFunc {
|
||||
return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
|
||||
w.Header().Set("Cache-Control", "no-store")
|
||||
if !d.Check(r.URL.Path) {
|
||||
if !d.user.Perm.Create || !d.Check(r.URL.Path) {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
|
|
@ -83,8 +172,13 @@ func tusHeadHandler() handleFunc {
|
|||
return errToStatus(err), err
|
||||
}
|
||||
|
||||
uploadLength, err := getActiveUploadLength(file.RealPath())
|
||||
if err != nil {
|
||||
return http.StatusNotFound, err
|
||||
}
|
||||
|
||||
w.Header().Set("Upload-Offset", strconv.FormatInt(file.Size, 10))
|
||||
w.Header().Set("Upload-Length", "-1")
|
||||
w.Header().Set("Upload-Length", strconv.FormatInt(uploadLength, 10))
|
||||
|
||||
return http.StatusOK, nil
|
||||
})
|
||||
|
|
@ -92,7 +186,7 @@ func tusHeadHandler() handleFunc {
|
|||
|
||||
func tusPatchHandler() handleFunc {
|
||||
return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
|
||||
if !d.user.Perm.Modify || !d.Check(r.URL.Path) {
|
||||
if !d.user.Perm.Create || !d.Check(r.URL.Path) {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
if r.Header.Get("Content-Type") != "application/offset+octet-stream" {
|
||||
|
|
@ -101,7 +195,7 @@ func tusPatchHandler() handleFunc {
|
|||
|
||||
uploadOffset, err := getUploadOffset(r)
|
||||
if err != nil {
|
||||
return http.StatusBadRequest, fmt.Errorf("invalid upload offset: %w", err)
|
||||
return http.StatusBadRequest, fmt.Errorf("invalid upload offset")
|
||||
}
|
||||
|
||||
file, err := files.NewFileInfo(&files.FileOptions{
|
||||
|
|
@ -120,6 +214,15 @@ func tusPatchHandler() handleFunc {
|
|||
return errToStatus(err), err
|
||||
}
|
||||
|
||||
uploadLength, err := getActiveUploadLength(file.RealPath())
|
||||
if err != nil {
|
||||
return http.StatusNotFound, err
|
||||
}
|
||||
|
||||
// Prevent the upload from being evicted during the transfer
|
||||
stop := keepUploadActive(file.RealPath())
|
||||
defer stop()
|
||||
|
||||
switch {
|
||||
case file.IsDir:
|
||||
return http.StatusBadRequest, fmt.Errorf("cannot upload to a directory %s", file.RealPath())
|
||||
|
|
@ -148,12 +251,60 @@ func tusPatchHandler() handleFunc {
|
|||
return http.StatusInternalServerError, fmt.Errorf("could not write to file: %w", err)
|
||||
}
|
||||
|
||||
w.Header().Set("Upload-Offset", strconv.FormatInt(uploadOffset+bytesWritten, 10))
|
||||
newOffset := uploadOffset + bytesWritten
|
||||
w.Header().Set("Upload-Offset", strconv.FormatInt(newOffset, 10))
|
||||
|
||||
if newOffset >= uploadLength {
|
||||
completeUpload(file.RealPath())
|
||||
_ = d.RunHook(func() error { return nil }, "upload", r.URL.Path, "", d.user)
|
||||
}
|
||||
|
||||
return http.StatusNoContent, nil
|
||||
})
|
||||
}
|
||||
|
||||
func tusDeleteHandler() handleFunc {
|
||||
return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
|
||||
if r.URL.Path == "/" || !d.user.Perm.Create {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
file, err := files.NewFileInfo(&files.FileOptions{
|
||||
Fs: d.user.Fs,
|
||||
Path: r.URL.Path,
|
||||
Modify: d.user.Perm.Modify,
|
||||
Expand: false,
|
||||
ReadHeader: d.server.TypeDetectionByHeader,
|
||||
Checker: d,
|
||||
})
|
||||
if err != nil {
|
||||
return errToStatus(err), err
|
||||
}
|
||||
|
||||
_, err = getActiveUploadLength(file.RealPath())
|
||||
if err != nil {
|
||||
return http.StatusNotFound, err
|
||||
}
|
||||
|
||||
err = d.user.Fs.RemoveAll(r.URL.Path)
|
||||
if err != nil {
|
||||
return errToStatus(err), err
|
||||
}
|
||||
|
||||
completeUpload(file.RealPath())
|
||||
|
||||
return http.StatusNoContent, nil
|
||||
})
|
||||
}
|
||||
|
||||
func getUploadLength(r *http.Request) (int64, error) {
|
||||
uploadOffset, err := strconv.ParseInt(r.Header.Get("Upload-Length"), 10, 64)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("invalid upload length: %w", err)
|
||||
}
|
||||
return uploadOffset, nil
|
||||
}
|
||||
|
||||
func getUploadOffset(r *http.Request) (int64, error) {
|
||||
uploadOffset, err := strconv.ParseInt(r.Header.Get("Upload-Offset"), 10, 64)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue