Mirrors/filebrowser
1
0
Fork 0
mirror of https://github.com/filebrowser/filebrowser.git synced 2026-01-23 02:35:10 +00:00
Code Issues Projects Releases Wiki Activity

fix(security): check user permission to rename files

Browse source
This commit is contained in:
Oleg Lobanov 2020-06-06 17:45:51 +02:00
parent b8300b7121
commit 28672c0114
No known key found for this signature in database
GPG key ID: 7CC64E41212621B0
4 changed files with 40 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

34
http/resource.go
View file

@ -9,9 +9,8 @@ import (
"os"
"strings"
"github.com/filebrowser/filebrowser/v2/files"
"github.com/filebrowser/filebrowser/v2/errors"
"github.com/filebrowser/filebrowser/v2/files"
"github.com/filebrowser/filebrowser/v2/fileutils"
)
@ -119,7 +118,6 @@ var resourcePostPutHandler = withUser(func(w http.ResponseWriter, r *http.Reques
return errToStatus(err), err
})
//nolint: goconst
var resourcePatchHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
src := r.URL.Path
dst := r.URL.Query().Get("destination")
@ -134,26 +132,22 @@ var resourcePatchHandler = withUser(func(w http.ResponseWriter, r *http.Request,
return http.StatusForbidden, nil
}
switch action {
// TODO: use enum
case "copy":
if !d.user.Perm.Create {
return http.StatusForbidden, nil
}
case "rename":
default:
action = "rename"
if !d.user.Perm.Rename {
return http.StatusForbidden, nil
}
}
err = d.RunHook(func() error {
if action == "copy" {
switch action {
// TODO: use enum
case "copy":
if !d.user.Perm.Create {
return errors.ErrPermissionDenied
}
return fileutils.Copy(d.user.Fs, src, dst)
case "rename":
if !d.user.Perm.Rename {
return errors.ErrPermissionDenied
}
return d.user.Fs.Rename(src, dst)
default:
return fmt.Errorf("unsupported action %s: %w", action, errors.ErrInvalidRequestParams)
}
return d.user.Fs.Rename(src, dst)
}, action, src, dst, d.user)
return errToStatus(err), err

11
http/utils.go
View file

@ -2,12 +2,13 @@ package http
import (
"encoding/json"
"errors"
"net/http"
"net/url"
"os"
"strings"
"github.com/filebrowser/filebrowser/v2/errors"
libErrors "github.com/filebrowser/filebrowser/v2/errors"
)
func renderJSON(w http.ResponseWriter, _ *http.Request, data interface{}) (int, error) {
@ -31,10 +32,14 @@ func errToStatus(err error) int {
return http.StatusOK
case os.IsPermission(err):
return http.StatusForbidden
case os.IsNotExist(err), err == errors.ErrNotExist:
case os.IsNotExist(err), err == libErrors.ErrNotExist:
return http.StatusNotFound
case os.IsExist(err), err == errors.ErrExist:
case os.IsExist(err), err == libErrors.ErrExist:
return http.StatusConflict
case errors.Is(err, libErrors.ErrPermissionDenied):
return http.StatusForbidden
case errors.Is(err, libErrors.ErrInvalidRequestParams):
return http.StatusBadRequest
default:
return http.StatusInternalServerError
}