Should fix #109

Block les URLs suivantes lorsque le fichier se trouve dans le dir `profiles` ou `SAS` :
- `/file/<id>/`
- `/file/<id>/[delete|prop|edit]`

> Les urls du SAS restent accessiblent pour les roots & les admins SAS
> Les urls de profiles sont uniquement accessiblent aux roots

core/models.py

@@ -919,6 +919,35 @@ class SithFile(models.Model):
     class Meta:
         verbose_name = _("file")
 
+    def can_be_managed_by(self, user) -> bool:
+        """
+        Tell if the user can manage the file (edit, delete, etc.) or not.
+        Apply the following rules:
+            - If the file is not in the SAS nor in the profiles directory, it can be "managed" by anyone -> return True
+            - If the file is in the SAS, only the SAS admins (or roots) can manage it -> return True if the user is in the SAS admin group or is a root
+            - If the file is in the profiles directory, only the roots can manage it -> return True if the user is a root
+
+        Returns:
+            bool: True if the file is managed by the SAS or within the profiles directory, False otherwise
+        """
+
+        # If the file is not in the SAS nor in the profiles directory, it can be "managed" by anyone
+        profiles_dir = SithFile.objects.filter(name="profiles").first()
+        if not self.is_in_sas and not profiles_dir in self.get_parent_list():
+            return True
+
+        # If the file is in the SAS, only the SAS admins (or roots) can manage it
+        if self.is_in_sas and (
+            user.is_in_group(settings.SITH_GROUP_SAS_ADMIN_ID) or user.is_root
+        ):
+            return True
+
+        # If the file is in the profiles directory, only the roots can manage it
+        if profiles_dir in self.get_parent_list() and user.is_root:
+            return True
+
+        return False
+
     def is_owned_by(self, user):
         if user.is_anonymous:
             return False

core/views/files.py

@@ -163,6 +163,13 @@ class FileEditView(CanEditMixin, UpdateView):
     template_name = "core/file_edit.jinja"
     context_object_name = "file"
 
+    def get(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
+        return super(FileEditView, self).get(request, *args, **kwargs)
+
     def get_form_class(self):
         fields = ["name", "is_moderated"]
         if self.object.is_file:
@@ -208,6 +215,13 @@ class FileEditPropView(CanEditPropMixin, UpdateView):
     context_object_name = "file"
     form_class = FileEditPropForm
 
+    def get(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
+        return super(FileEditPropView, self).get(request, *args, **kwargs)
+
     def get_form(self, form_class=None):
         form = super(FileEditPropView, self).get_form(form_class)
         form.fields["parent"].queryset = SithFile.objects.filter(is_folder=True)
@@ -280,6 +294,9 @@ class FileView(CanViewMixin, DetailView, FormMixin):
 
     def get(self, request, *args, **kwargs):
         self.form = self.get_form()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
         if "clipboard" not in request.session.keys():
             request.session["clipboard"] = []
         return super(FileView, self).get(request, *args, **kwargs)
@@ -327,6 +344,13 @@ class FileDeleteView(CanEditPropMixin, DeleteView):
     template_name = "core/file_delete_confirm.jinja"
     context_object_name = "file"
 
+    def get(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if not self.object.can_be_managed_by(request.user):
+            raise PermissionDenied
+
+        return super(FileDeleteView, self).get(request, *args, **kwargs)
+
     def get_success_url(self):
         self.object.file.delete()  # Doing it here or overloading delete() is the same, so let's do it here
         if "next" in self.request.GET.keys():