[FIX] Correction de bugs (#617)

* Fix #600 * Fix #602 * Fixes & améliorations du nouveau CSS (#616) * Fix #604 * should fix #605 * Fix #608 * Update core/views/site.py Co-Authored-By: thomas girod <56346771+imperosol@users.noreply.github.com> * Added back the permission denied * Should fix #609 * Fix failing test when 2 user are merged * Should fix #610 * Should fix #627 * Should fix #109 Block les URLs suivantes lorsque le fichier se trouve dans le dir `profiles` ou `SAS` : - `/file/<id>/` - `/file/<id>/[delete|prop|edit]` > Les urls du SAS restent accessiblent pour les roots & les admins SAS > Les urls de profiles sont uniquement accessiblent aux roots * Fix root dir of SAS being unnaccessible for sas admins ⚠️ need to edit the SAS directory & save it (no changes required in sas directory properties) * Remove overwritten code * Should fix duplicated albums in user profile (wtf) * Fix typo * Extended profiles picture access to board members * Should fix #607 * Fix keyboard navigation not working properly * Fix user tagged pictures section inside python rather than in the template * Update utils.py * Apply suggested changes * Fix #604 * Fix #608 * Added back the permission denied * Should fix duplicated albums in user profile (wtf) * Fix user tagged pictures section inside python rather than in the template * Apply suggested changes --------- Co-authored-by: thomas girod <56346771+imperosol@users.noreply.github.com>
2025-07-11 04:19:25 +00:00 · 2023-05-02 13:07:36 +02:00
parent ef968f3673
commit b30ee0a27a
17 changed files with 189 additions and 35 deletions
--- a/core/views/files.py
+++ b/core/views/files.py
@ -23,7 +23,7 @@ from django.views.generic.detail import SingleObjectMixin
 from django.forms.models import modelform_factory
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
-from django.http import HttpResponse
+from django.http import Http404, HttpResponse
 from wsgiref.util import FileWrapper
 from django.urls import reverse
 from django.core.exceptions import PermissionDenied
@ -34,7 +34,12 @@ import os
 from ajax_select import make_ajax_field

 from core.models import SithFile, RealGroup, Notification
-from core.views import CanViewMixin, CanEditMixin, CanEditPropMixin, can_view, not_found
+from core.views import (
+    CanViewMixin,
+    CanEditMixin,
+    CanEditPropMixin,
+    can_view,
+)
 from counter.models import Counter


@ -58,6 +63,11 @@ def send_file(request, file_id, file_class=SithFile, file_attr="file"):
        raise PermissionDenied
    name = f.__getattribute__(file_attr).name
    filepath = os.path.join(settings.MEDIA_ROOT, name)
+
+    # check if file exists on disk
+    if not os.path.exists(filepath.encode("utf-8")):
+        raise Http404()
+
    with open(filepath.encode("utf-8"), "rb") as filename:
        wrapper = FileWrapper(filename)
        response = HttpResponse(wrapper, content_type=f.mime_type)
@ -152,6 +162,13 @@ class FileEditView(CanEditMixin, UpdateView):
    template_name = "core/file_edit.jinja"
    context_object_name = "file"

+    def get(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
+        return super(FileEditView, self).get(request, *args, **kwargs)
+
    def get_form_class(self):
        fields = ["name", "is_moderated"]
        if self.object.is_file:
@ -197,6 +214,13 @@ class FileEditPropView(CanEditPropMixin, UpdateView):
    context_object_name = "file"
    form_class = FileEditPropForm

+    def get(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
+        return super(FileEditPropView, self).get(request, *args, **kwargs)
+
    def get_form(self, form_class=None):
        form = super(FileEditPropView, self).get_form(form_class)
        form.fields["parent"].queryset = SithFile.objects.filter(is_folder=True)
@ -269,6 +293,9 @@ class FileView(CanViewMixin, DetailView, FormMixin):

    def get(self, request, *args, **kwargs):
        self.form = self.get_form()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
        if "clipboard" not in request.session.keys():
            request.session["clipboard"] = []
        return super(FileView, self).get(request, *args, **kwargs)
@ -316,6 +343,13 @@ class FileDeleteView(CanEditPropMixin, DeleteView):
    template_name = "core/file_delete_confirm.jinja"
    context_object_name = "file"

+    def get(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
+        return super(FileDeleteView, self).get(request, *args, **kwargs)
+
    def get_success_url(self):
        self.object.file.delete()  # Doing it here or overloading delete() is the same, so let's do it here
        if "next" in self.request.GET.keys():