github
/
filebrowser
mirror of https://github.com/filebrowser/filebrowser
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: check rules on http resource handlers

pull/1321/head
Ramires Viana 2021-03-10 17:38:11 +00:00
parent 6a734c0139
commit 5bf15548d0
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
http/resource.go
View File

@ -91,7 +91,7 @@ func resourceDeleteHandler(fileCache FileCache) handleFunc {
func resourcePostHandler(fileCache FileCache) handleFunc { func resourcePostHandler(fileCache FileCache) handleFunc {
return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) { return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
if !d.user.Perm.Create { if !d.user.Perm.Create || !d.Check(r.URL.Path) {
return http.StatusForbidden, nil return http.StatusForbidden, nil
} }
@ -141,7 +141,7 @@ func resourcePostHandler(fileCache FileCache) handleFunc {
} }
var resourcePutHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) { var resourcePutHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
if !d.user.Perm.Modify { if !d.user.Perm.Modify || !d.Check(r.URL.Path) {
return http.StatusForbidden, nil return http.StatusForbidden, nil
} }
@ -174,6 +174,9 @@ var resourcePatchHandler = withUser(func(w http.ResponseWriter, r *http.Request,
dst := r.URL.Query().Get("destination") dst := r.URL.Query().Get("destination")
action := r.URL.Query().Get("action") action := r.URL.Query().Get("action")
dst, err := url.QueryUnescape(dst) dst, err := url.QueryUnescape(dst)
if !d.Check(src) || !d.Check(dst) {
return http.StatusForbidden, nil
}
if err != nil { if err != nil {
return errToStatus(err), err return errToStatus(err), err
} }