From 9af6519280c61f16b489f03985e2c5480dd75ae3 Mon Sep 17 00:00:00 2001 From: Henrique Dias Date: Fri, 14 Jul 2017 07:51:32 +0100 Subject: [PATCH] Add User Permission check Former-commit-id: 7ebed9e49ec603879685519d1faf7ed3d83e1ac6 [formerly 31dbbd185fa977815ceb6ea249f13c6935043e0f] [formerly f5c6acbcaea7fe009c2c26c8e9f3c10ed302d702 [formerly 7889b8488d9b1341f685bb75def6bf61dd5a8b49]] Former-commit-id: 6f4a50f74ea9e573f1d520d91bec9f1d09213cca [formerly 957d5ecb7e92a81995eda1e41097beb21ef27f3f] Former-commit-id: 1503bc70e1ff6eab125278aade3493e5b7ab5a71 --- filemanager.go | 7 ++++--- resource.go | 14 +++++++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/filemanager.go b/filemanager.go index 5b8cd82f..dff16bc2 100644 --- a/filemanager.go +++ b/filemanager.go @@ -81,9 +81,10 @@ type User struct { CSS string `json:"css"` // These indicate if the user can perform certain actions. - AllowNew bool `json:"allowNew"` // Create files and folders - AllowEdit bool `json:"allowEdit"` // Edit/rename files - AllowCommands bool `json:"allowCommands"` // Execute commands + AllowNew bool `json:"allowNew"` // Create files and folders + AllowEdit bool `json:"allowEdit"` // Edit/rename files + AllowCommands bool `json:"allowCommands"` // Execute commands + Permissions map[string]bool `json:"permissions"` // Permissions added by plugins // Commands is the list of commands the user can execute. Commands []string `json:"commands"` diff --git a/resource.go b/resource.go index 615b12db..d852024a 100644 --- a/resource.go +++ b/resource.go @@ -116,7 +116,7 @@ func listingHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) ( func resourceDeleteHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) { // Prevent the removal of the root directory. - if r.URL.Path == "/" { + if r.URL.Path == "/" || !c.User.AllowEdit { return http.StatusForbidden, nil } @@ -130,6 +130,14 @@ func resourceDeleteHandler(c *RequestContext, w http.ResponseWriter, r *http.Req } func resourcePostPutHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) { + if !c.User.AllowNew && r.Method == http.MethodPost { + return http.StatusForbidden, nil + } + + if !c.User.AllowEdit && r.Method == http.MethodPut { + return http.StatusForbidden, nil + } + // Checks if the current request is for a directory and not a file. if strings.HasSuffix(r.URL.Path, "/") { // If the method is PUT, we return 405 Method not Allowed, because @@ -179,6 +187,10 @@ func resourcePostPutHandler(c *RequestContext, w http.ResponseWriter, r *http.Re } func resourcePatchHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) { + if !c.User.AllowEdit { + return http.StatusForbidden, nil + } + dst := r.Header.Get("Destination") dst, err := url.QueryUnescape(dst) if err != nil {