diff --git a/core/models.py b/core/models.py index 12f4e683..1b1cb566 100644 --- a/core/models.py +++ b/core/models.py @@ -919,6 +919,35 @@ class SithFile(models.Model): class Meta: verbose_name = _("file") + def can_be_managed_by(self, user) -> bool: + """ + Tell if the user can manage the file (edit, delete, etc.) or not. + Apply the following rules: + - If the file is not in the SAS nor in the profiles directory, it can be "managed" by anyone -> return True + - If the file is in the SAS, only the SAS admins (or roots) can manage it -> return True if the user is in the SAS admin group or is a root + - If the file is in the profiles directory, only the roots can manage it -> return True if the user is a root + + Returns: + bool: True if the file is managed by the SAS or within the profiles directory, False otherwise + """ + + # If the file is not in the SAS nor in the profiles directory, it can be "managed" by anyone + profiles_dir = SithFile.objects.filter(name="profiles").first() + if not self.is_in_sas and not profiles_dir in self.get_parent_list(): + return True + + # If the file is in the SAS, only the SAS admins (or roots) can manage it + if self.is_in_sas and ( + user.is_in_group(settings.SITH_GROUP_SAS_ADMIN_ID) or user.is_root + ): + return True + + # If the file is in the profiles directory, only the roots can manage it + if profiles_dir in self.get_parent_list() and user.is_root: + return True + + return False + def is_owned_by(self, user): if user.is_anonymous: return False diff --git a/core/views/files.py b/core/views/files.py index 88ca6897..253f3475 100644 --- a/core/views/files.py +++ b/core/views/files.py @@ -163,6 +163,13 @@ class FileEditView(CanEditMixin, UpdateView): template_name = "core/file_edit.jinja" context_object_name = "file" + def get(self, request, *args, **kwargs): + self.object = self.get_object() + if not self.object.can_be_managed_by(request.user): + raise PermissionDenied + + return super(FileEditView, self).get(request, *args, **kwargs) + def get_form_class(self): fields = ["name", "is_moderated"] if self.object.is_file: @@ -208,6 +215,13 @@ class FileEditPropView(CanEditPropMixin, UpdateView): context_object_name = "file" form_class = FileEditPropForm + def get(self, request, *args, **kwargs): + self.object = self.get_object() + if not self.object.can_be_managed_by(request.user): + raise PermissionDenied + + return super(FileEditPropView, self).get(request, *args, **kwargs) + def get_form(self, form_class=None): form = super(FileEditPropView, self).get_form(form_class) form.fields["parent"].queryset = SithFile.objects.filter(is_folder=True) @@ -280,6 +294,9 @@ class FileView(CanViewMixin, DetailView, FormMixin): def get(self, request, *args, **kwargs): self.form = self.get_form() + if not self.object.can_be_managed_by(request.user): + raise PermissionDenied + if "clipboard" not in request.session.keys(): request.session["clipboard"] = [] return super(FileView, self).get(request, *args, **kwargs) @@ -327,6 +344,13 @@ class FileDeleteView(CanEditPropMixin, DeleteView): template_name = "core/file_delete_confirm.jinja" context_object_name = "file" + def get(self, request, *args, **kwargs): + self.object = self.get_object() + if not self.object.can_be_managed_by(request.user): + raise PermissionDenied + + return super(FileDeleteView, self).get(request, *args, **kwargs) + def get_success_url(self): self.object.file.delete() # Doing it here or overloading delete() is the same, so let's do it here if "next" in self.request.GET.keys():