From f52ec6694696bc2ad600a1a58dcacc85a57cfac0 Mon Sep 17 00:00:00 2001 From: Julien Constant Date: Wed, 5 Apr 2023 19:40:55 +0200 Subject: [PATCH] Fix #608 --- core/views/files.py | 17 ++++++++++++++--- locale/fr/LC_MESSAGES/django.po | 8 ++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/core/views/files.py b/core/views/files.py index 2833dc7b..7dedade2 100644 --- a/core/views/files.py +++ b/core/views/files.py @@ -26,7 +26,6 @@ from django.utils.translation import gettext_lazy as _ from django.http import HttpResponse from wsgiref.util import FileWrapper from django.urls import reverse -from django.core.exceptions import PermissionDenied from django import forms import os @@ -34,7 +33,14 @@ import os from ajax_select import make_ajax_field from core.models import SithFile, RealGroup, Notification -from core.views import CanViewMixin, CanEditMixin, CanEditPropMixin, can_view, not_found +from core.views import ( + CanViewMixin, + CanEditMixin, + CanEditPropMixin, + can_view, + forbidden, + not_found, +) from counter.models import Counter @@ -55,9 +61,14 @@ def send_file(request, file_id, file_class=SithFile, file_attr="file"): ).exists() ) ): - raise PermissionDenied + return forbidden(request, _("You are not allowed to view this file")) name = f.__getattribute__(file_attr).name filepath = os.path.join(settings.MEDIA_ROOT, name) + + # check if file exists on disk + if not os.path.exists(filepath.encode("utf-8")): + return not_found(request, _("File not found")) + with open(filepath.encode("utf-8"), "rb") as filename: wrapper = FileWrapper(filename) response = HttpResponse(wrapper, content_type=f.mime_type) diff --git a/locale/fr/LC_MESSAGES/django.po b/locale/fr/LC_MESSAGES/django.po index b545b4a9..e93c947c 100644 --- a/locale/fr/LC_MESSAGES/django.po +++ b/locale/fr/LC_MESSAGES/django.po @@ -2519,6 +2519,14 @@ msgstr "Laverie" msgid "Files" msgstr "Fichiers" +#: core/views/files.py:70 +msgid "File not found" +msgstr "Fichier introuvable" + +#: core/views/files.py:64 +msgid "You are not allowed to view this file" +msgstr "Vous n'êtes pas autorisé à voir ce fichier" + #: core/templates/core/base.jinja:202 core/templates/core/user_tools.jinja:109 msgid "Pedagogy" msgstr "Pédagogie"