From f9d6de9c39146e540322b71e65df5ca57173b2e7 Mon Sep 17 00:00:00 2001 From: ibuler Date: Mon, 11 Sep 2023 11:13:34 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20private=20storage?= =?UTF-8?q?=20permission?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/common/permissions.py | 2 +- apps/jumpserver/rewriting/storage/permissions.py | 2 ++ apps/terminal/permissions.py | 6 ++++-- apps/tickets/permissions/ticket.py | 4 ++-- apps/users/permissions.py | 3 +-- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/apps/common/permissions.py b/apps/common/permissions.py index d28157085..5c58de68e 100644 --- a/apps/common/permissions.py +++ b/apps/common/permissions.py @@ -12,7 +12,7 @@ from common.utils import get_object_or_none from orgs.utils import tmp_to_root_org -class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission): +class IsValidUser(permissions.IsAuthenticated): """Allows access to valid user, is active and not expired""" def has_permission(self, request, view): diff --git a/apps/jumpserver/rewriting/storage/permissions.py b/apps/jumpserver/rewriting/storage/permissions.py index 51b1c9c40..7af0adece 100644 --- a/apps/jumpserver/rewriting/storage/permissions.py +++ b/apps/jumpserver/rewriting/storage/permissions.py @@ -16,6 +16,8 @@ def allow_access(private_file): path_base = path_list[1] if len(path_list) > 1 else None path_perm = path_perms_map.get(path_base, None) + if ".." in request_path: + return False if not path_perm: return False if path_perm == '*' or request.user.has_perms([path_perm]): diff --git a/apps/terminal/permissions.py b/apps/terminal/permissions.py index 1165c0570..e2e72e572 100644 --- a/apps/terminal/permissions.py +++ b/apps/terminal/permissions.py @@ -1,13 +1,15 @@ from rest_framework import permissions + from common.utils import get_logger logger = get_logger(__file__) - __all__ = ['IsSessionAssignee'] -class IsSessionAssignee(permissions.BasePermission): +class IsSessionAssignee(permissions.IsAuthenticated): + def has_permission(self, request, view): + return False def has_object_permission(self, request, view, obj): try: diff --git a/apps/tickets/permissions/ticket.py b/apps/tickets/permissions/ticket.py index 29c7dd7b5..494d9ba1b 100644 --- a/apps/tickets/permissions/ticket.py +++ b/apps/tickets/permissions/ticket.py @@ -1,12 +1,12 @@ from rest_framework import permissions -class IsAssignee(permissions.BasePermission): +class IsAssignee(permissions.IsAuthenticated): def has_object_permission(self, request, view, obj): return obj.has_current_assignee(request.user) -class IsApplicant(permissions.BasePermission): +class IsApplicant(permissions.IsAuthenticated): def has_object_permission(self, request, view, obj): return obj.applicant == request.user diff --git a/apps/users/permissions.py b/apps/users/permissions.py index 33081c5b3..37525517c 100644 --- a/apps/users/permissions.py +++ b/apps/users/permissions.py @@ -1,6 +1,5 @@ from rest_framework import permissions -from rbac.builtin import BuiltinRole from .utils import is_auth_password_time_valid @@ -11,7 +10,7 @@ class IsAuthPasswdTimeValid(permissions.IsAuthenticated): and is_auth_password_time_valid(request.session) -class UserObjectPermission(permissions.BasePermission): +class UserObjectPermission(permissions.IsAuthenticated): def has_object_permission(self, request, view, obj): if view.action not in ['update', 'partial_update', 'destroy']: