github
/
filebrowser
mirror of https://github.com/filebrowser/filebrowser
1
0
Fork 0
Code Issues Releases Wiki Activity

Add User Permission check 

Former-commit-id: 7ebed9e49ec603879685519d1faf7ed3d83e1ac6 [formerly 31dbbd185fa977815ceb6ea249f13c6935043e0f] [formerly f5c6acbcaea7fe009c2c26c8e9f3c10ed302d702 [formerly 7889b8488d]]
Former-commit-id: 6f4a50f74ea9e573f1d520d91bec9f1d09213cca [formerly 957d5ecb7e92a81995eda1e41097beb21ef27f3f]
Former-commit-id: 1503bc70e1ff6eab125278aade3493e5b7ab5a71
pull/726/head
Henrique Dias 2017-07-14 07:51:32 +01:00
parent fc1a78bb27
commit 9af6519280
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
filemanager.go
View File

@ -81,9 +81,10 @@ type User struct {
CSS string `json:"css"` CSS string `json:"css"`
// These indicate if the user can perform certain actions. // These indicate if the user can perform certain actions.
AllowNew bool `json:"allowNew"` // Create files and folders AllowNew bool `json:"allowNew"` // Create files and folders
AllowEdit bool `json:"allowEdit"` // Edit/rename files AllowEdit bool `json:"allowEdit"` // Edit/rename files
AllowCommands bool `json:"allowCommands"` // Execute commands AllowCommands bool `json:"allowCommands"` // Execute commands
Permissions map[string]bool `json:"permissions"` // Permissions added by plugins
// Commands is the list of commands the user can execute. // Commands is the list of commands the user can execute.
Commands []string `json:"commands"` Commands []string `json:"commands"`

14
resource.go
View File

@ -116,7 +116,7 @@ func listingHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (
func resourceDeleteHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) { func resourceDeleteHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
// Prevent the removal of the root directory. // Prevent the removal of the root directory.
if r.URL.Path == "/" { if r.URL.Path == "/" || !c.User.AllowEdit {
return http.StatusForbidden, nil return http.StatusForbidden, nil
} }
@ -130,6 +130,14 @@ func resourceDeleteHandler(c *RequestContext, w http.ResponseWriter, r *http.Req
} }
func resourcePostPutHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) { func resourcePostPutHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
if !c.User.AllowNew && r.Method == http.MethodPost {
return http.StatusForbidden, nil
}
if !c.User.AllowEdit && r.Method == http.MethodPut {
return http.StatusForbidden, nil
}
// Checks if the current request is for a directory and not a file. // Checks if the current request is for a directory and not a file.
if strings.HasSuffix(r.URL.Path, "/") { if strings.HasSuffix(r.URL.Path, "/") {
// If the method is PUT, we return 405 Method not Allowed, because // If the method is PUT, we return 405 Method not Allowed, because
@ -179,6 +187,10 @@ func resourcePostPutHandler(c *RequestContext, w http.ResponseWriter, r *http.Re
} }
func resourcePatchHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) { func resourcePatchHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
if !c.User.AllowEdit {
return http.StatusForbidden, nil
}
dst := r.Header.Get("Destination") dst := r.Header.Get("Destination")
dst, err := url.QueryUnescape(dst) dst, err := url.QueryUnescape(dst)
if err != nil { if err != nil {