From 7d6b6d5ccc0c7a2cd7a676aabc661003a7dc314f Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 06:41:55 -0800 Subject: [PATCH 1/8] q! --- .project | 17 +++++++++++++++ .pydevproject | 8 +++++++ .settings/org.eclipse.core.resources.prefs | 8 +++++++ AUTHORS | 1 + README.rst | 2 +- filebrowser/permissions.py | 25 ++++++++++++++++++++++ filebrowser/sites.py | 22 +++++++++++++++++++ 7 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 .project create mode 100644 .pydevproject create mode 100644 .settings/org.eclipse.core.resources.prefs create mode 100644 filebrowser/permissions.py diff --git a/.project b/.project new file mode 100644 index 000000000..d30dfcde3 --- /dev/null +++ b/.project @@ -0,0 +1,17 @@ + + + django-filebrowser-withperms + + + + + + org.python.pydev.PyDevBuilder + + + + + + org.python.pydev.pythonNature + + diff --git a/.pydevproject b/.pydevproject new file mode 100644 index 000000000..037bd251a --- /dev/null +++ b/.pydevproject @@ -0,0 +1,8 @@ + + + +/${PROJECT_DIR_NAME} + +python 2.7 +Default + diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs new file mode 100644 index 000000000..f47410d1a --- /dev/null +++ b/.settings/org.eclipse.core.resources.prefs @@ -0,0 +1,8 @@ +eclipse.preferences.version=1 +encoding//filebrowser/actions.py=utf-8 +encoding//filebrowser/base.py=utf-8 +encoding//filebrowser/decorators.py=utf-8 +encoding//filebrowser/sites.py=utf-8 +encoding//filebrowser/templatetags/fb_versions.py=utf-8 +encoding//filebrowser/utils.py=utf-8 +encoding//filebrowser/widgets.py=utf-8 diff --git a/AUTHORS b/AUTHORS index ca797aa05..3962112f2 100644 --- a/AUTHORS +++ b/AUTHORS @@ -3,3 +3,4 @@ Axel Swoboda Klemens Mantzos Vaclav Mikolasek Tim Graham +Antonio Angelino \ No newline at end of file diff --git a/README.rst b/README.rst index 3c32ea920..b95382210 100644 --- a/README.rst +++ b/README.rst @@ -1,4 +1,4 @@ -Django FileBrowser +Django FileBrowser with Permission management ================== **Media-Management with Grappelli**. diff --git a/filebrowser/permissions.py b/filebrowser/permissions.py new file mode 100644 index 000000000..84275d848 --- /dev/null +++ b/filebrowser/permissions.py @@ -0,0 +1,25 @@ +from django.db import models +from django.contrib.auth.models import Permission +from django.contrib.contenttypes.models import ContentType + + +class FileBrowserPermissionManager(models.Manager): + def get_queryset(self): + return super(FileBrowserPermissionManager, self).\ + get_queryset().filter(content_type__name='filebrowser_permission') + + +class FileBrowserPermission(Permission): + """Permission for the file browser, not attached to a model""" + + objects = FileBrowserPermissionManager() + + class Meta: + proxy = True + + def save(self, *args, **kwargs): + ct, created = ContentType.objects.get_or_create( + name="filebrowser", app_label=self._meta.app_label + ) + self.content_type = ct + super(FileBrowserPermission, self).save(*args, **kwargs) diff --git a/filebrowser/sites.py b/filebrowser/sites.py index 0fe683cdc..14c04e114 100644 --- a/filebrowser/sites.py +++ b/filebrowser/sites.py @@ -13,6 +13,7 @@ from django.template import RequestContext as Context from django.http import HttpResponseRedirect, HttpResponseBadRequest from django.contrib.admin.views.decorators import staff_member_required +from django.core.exceptions import PermissionDenied from django.views.decorators.cache import never_cache from django.utils.translation import ugettext as _ from django import forms @@ -283,6 +284,10 @@ def urls(self): def browse(self, request): "Browse Files/Directories." + + if request.user.has_perm('filebrowser.can_list_files'): + raise PermissionDenied + filter_re = [] for exp in EXCLUDE: filter_re.append(re.compile(exp)) @@ -594,3 +599,20 @@ def _upload_file(self, request): site.add_action(rotate_90_clockwise) site.add_action(rotate_90_counterclockwise) site.add_action(rotate_180) + +#Load default permissions +from filebrowser.permissions import FileBrowserPermission +from django.db.utils import IntegrityError +try: + FileBrowserPermission.objects.create(codename="can_list_files", name="Can List Files") + FileBrowserPermission.objects.create(codename="can_view_files", name="Can View Files") + FileBrowserPermission.objects.create(codename="can_add_files", name="Can Add Files") + FileBrowserPermission.objects.create(codename="can_edit_files", name="Can Edit Files") + FileBrowserPermission.objects.create(codename="can_delete_files", name="Can Delete Files") + + FileBrowserPermission.objects.create(codename="can_add_directories", name="Can Add Directories") + FileBrowserPermission.objects.create(codename="can_delete_directories", name="Can Delete Directories") + FileBrowserPermission.objects.create(codename="can_rename_directories", name="Can Rename Directories") +except IntegrityError: + #Ok, they are still there! + pass From 3b5a969f51e2bb7ab8a6e2cd7525108b5abc177e Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 06:42:52 -0800 Subject: [PATCH 2/8] q! --- .gitignore | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 1ccba37f3..64bb8c250 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,7 @@ dist *.egg-info *.pot .DS_store -fabfile.py \ No newline at end of file +fabfile.py +.settsettings +.project +.pydevproject From 5adb1adb3bdfe154c2533b51673108978ec7ce53 Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 06:43:36 -0800 Subject: [PATCH 3/8] Added ecplise project files to .gitignore --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 64bb8c250..93fc5717f 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,6 @@ dist *.pot .DS_store fabfile.py -.settsettings +.settings/ .project .pydevproject From 9cc2b8e90409c103277d96d0273815f9679f7b03 Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 06:44:47 -0800 Subject: [PATCH 4/8] Removed Ecplise project files --- .project | 17 ----------------- .pydevproject | 8 -------- .settings/org.eclipse.core.resources.prefs | 8 -------- 3 files changed, 33 deletions(-) delete mode 100644 .project delete mode 100644 .pydevproject delete mode 100644 .settings/org.eclipse.core.resources.prefs diff --git a/.project b/.project deleted file mode 100644 index d30dfcde3..000000000 --- a/.project +++ /dev/null @@ -1,17 +0,0 @@ - - - django-filebrowser-withperms - - - - - - org.python.pydev.PyDevBuilder - - - - - - org.python.pydev.pythonNature - - diff --git a/.pydevproject b/.pydevproject deleted file mode 100644 index 037bd251a..000000000 --- a/.pydevproject +++ /dev/null @@ -1,8 +0,0 @@ - - - -/${PROJECT_DIR_NAME} - -python 2.7 -Default - diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs deleted file mode 100644 index f47410d1a..000000000 --- a/.settings/org.eclipse.core.resources.prefs +++ /dev/null @@ -1,8 +0,0 @@ -eclipse.preferences.version=1 -encoding//filebrowser/actions.py=utf-8 -encoding//filebrowser/base.py=utf-8 -encoding//filebrowser/decorators.py=utf-8 -encoding//filebrowser/sites.py=utf-8 -encoding//filebrowser/templatetags/fb_versions.py=utf-8 -encoding//filebrowser/utils.py=utf-8 -encoding//filebrowser/widgets.py=utf-8 From 73e44252563e132a1baeb5e3c8eabd1c3d65d258 Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 06:49:51 -0800 Subject: [PATCH 5/8] Fixed if condition --- filebrowser/sites.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebrowser/sites.py b/filebrowser/sites.py index 14c04e114..d8601cf9e 100644 --- a/filebrowser/sites.py +++ b/filebrowser/sites.py @@ -285,7 +285,7 @@ def urls(self): def browse(self, request): "Browse Files/Directories." - if request.user.has_perm('filebrowser.can_list_files'): + if not request.user.has_perm('filebrowser.can_list_files'): raise PermissionDenied filter_re = [] From ffca8cee832dc86748abfa93cf780a136b6fb117 Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 07:08:15 -0800 Subject: [PATCH 6/8] Added all permission checks --- filebrowser/sites.py | 1 + 1 file changed, 1 insertion(+) diff --git a/filebrowser/sites.py b/filebrowser/sites.py index d8601cf9e..e1e1753cb 100644 --- a/filebrowser/sites.py +++ b/filebrowser/sites.py @@ -286,6 +286,7 @@ def browse(self, request): "Browse Files/Directories." if not request.user.has_perm('filebrowser.can_list_files'): + print request.user.has_perm('filebrowser.can_list_files') raise PermissionDenied filter_re = [] From 6071746721ffb7e43a08a9ea654033a812828e50 Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 07:16:30 -0800 Subject: [PATCH 7/8] Added all permission checks to sites.py --- filebrowser/sites.py | 43 +++++++++++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/filebrowser/sites.py b/filebrowser/sites.py index e1e1753cb..9dc8635db 100644 --- a/filebrowser/sites.py +++ b/filebrowser/sites.py @@ -286,7 +286,6 @@ def browse(self, request): "Browse Files/Directories." if not request.user.has_perm('filebrowser.can_list_files'): - print request.user.has_perm('filebrowser.can_list_files') raise PermissionDenied filter_re = [] @@ -366,6 +365,10 @@ def filter_browse(item): def createdir(self, request): "Create Directory" + + if not request.user.has_perm('filebrowser.can_add_directories'): + raise PermissionDenied + from filebrowser.forms import CreateDirForm query = request.GET path = u'%s' % os.path.join(self.directory, query.get('dir', '')) @@ -402,6 +405,10 @@ def createdir(self, request): def upload(self, request): "Multipe File Upload." + + if not request.user.has_perm('filebrowser.can_add_files'): + raise PermissionDenied + query = request.GET return render_to_response('filebrowser/upload.html', { @@ -415,6 +422,10 @@ def upload(self, request): def delete_confirm(self, request): "Delete existing File/Directory." + + if not request.user.has_perm('filebrowser.can_delete_files'): + raise PermissionDenied + query = request.GET path = u'%s' % os.path.join(self.directory, query.get('dir', '')) fileobject = FileObject(os.path.join(path, query.get('filename', '')), site=self) @@ -447,6 +458,10 @@ def delete_confirm(self, request): }, context_instance=Context(request, current_app=self.name)) def delete(self, request): + + if not request.user.has_perm('filebrowser.can_delete_files'): + raise PermissionDenied + "Delete existing File/Directory." query = request.GET path = u'%s' % os.path.join(self.directory, query.get('dir', '')) @@ -470,6 +485,10 @@ def detail(self, request): Show detail page for a file. Rename existing File/Directory (deletes existing Image Versions/Thumbnails). """ + + if not request.user.has_perm('filebrowser.can_view_files'): + raise PermissionDenied + from filebrowser.forms import ChangeForm query = request.GET path = u'%s' % os.path.join(self.directory, query.get('dir', '')) @@ -483,6 +502,8 @@ def detail(self, request): try: action_response = None if action_name: + if not request.user.has_perm('filebrowser.can_edit_files'): + raise PermissionDenied action = self.get_action(action_name) # Pre-action signal signals.filebrowser_actions_pre_apply.send(sender=request, action_name=action_name, fileobject=[fileobject], site=self) @@ -490,12 +511,16 @@ def detail(self, request): action_response = action(request=request, fileobjects=[fileobject]) # Post-action signal signals.filebrowser_actions_post_apply.send(sender=request, action_name=action_name, fileobject=[fileobject], result=action_response, site=self) + if new_name != fileobject.filename: + if not request.user.has_perm('filebrowser.can_rename_files'): + raise PermissionDenied signals.filebrowser_pre_rename.send(sender=request, path=fileobject.path, name=fileobject.filename, new_name=new_name, site=self) fileobject.delete_versions() self.storage.move(fileobject.path, os.path.join(fileobject.head, new_name)) signals.filebrowser_post_rename.send(sender=request, path=fileobject.path, name=fileobject.filename, new_name=new_name, site=self) messages.add_message(request, messages.SUCCESS, _('Renaming was successful.')) + if isinstance(action_response, HttpResponse): return action_response if "_continue" in request.POST: @@ -605,15 +630,13 @@ def _upload_file(self, request): from filebrowser.permissions import FileBrowserPermission from django.db.utils import IntegrityError try: - FileBrowserPermission.objects.create(codename="can_list_files", name="Can List Files") - FileBrowserPermission.objects.create(codename="can_view_files", name="Can View Files") - FileBrowserPermission.objects.create(codename="can_add_files", name="Can Add Files") - FileBrowserPermission.objects.create(codename="can_edit_files", name="Can Edit Files") - FileBrowserPermission.objects.create(codename="can_delete_files", name="Can Delete Files") - - FileBrowserPermission.objects.create(codename="can_add_directories", name="Can Add Directories") - FileBrowserPermission.objects.create(codename="can_delete_directories", name="Can Delete Directories") - FileBrowserPermission.objects.create(codename="can_rename_directories", name="Can Rename Directories") + FileBrowserPermission.objects.create(codename="can_list_files", name="Can List Files") #OK + FileBrowserPermission.objects.create(codename="can_view_files", name="Can View Files") #OK + FileBrowserPermission.objects.create(codename="can_add_files", name="Can Add Files") #OK + FileBrowserPermission.objects.create(codename="can_edit_files", name="Can Edit Files") #OK + FileBrowserPermission.objects.create(codename="can_rename_files", name="Can Rename Files") #OK + FileBrowserPermission.objects.create(codename="can_delete_files", name="Can Delete Files") #OK + FileBrowserPermission.objects.create(codename="can_add_directories", name="Can Add Directories") #OK except IntegrityError: #Ok, they are still there! pass From 172d12046bab0a23ed1f01caac2e683cbacdf0a3 Mon Sep 17 00:00:00 2001 From: Antonio Angelino Date: Wed, 18 Feb 2015 07:37:00 -0800 Subject: [PATCH 8/8] Removed "with Permission management", moved delete perm check under the method comment --- README.rst | 2 +- filebrowser/sites.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index b95382210..3c32ea920 100644 --- a/README.rst +++ b/README.rst @@ -1,4 +1,4 @@ -Django FileBrowser with Permission management +Django FileBrowser ================== **Media-Management with Grappelli**. diff --git a/filebrowser/sites.py b/filebrowser/sites.py index 9dc8635db..5571debdb 100644 --- a/filebrowser/sites.py +++ b/filebrowser/sites.py @@ -458,11 +458,11 @@ def delete_confirm(self, request): }, context_instance=Context(request, current_app=self.name)) def delete(self, request): - + "Delete existing File/Directory." + if not request.user.has_perm('filebrowser.can_delete_files'): raise PermissionDenied - "Delete existing File/Directory." query = request.GET path = u'%s' % os.path.join(self.directory, query.get('dir', '')) fileobject = FileObject(os.path.join(path, query.get('filename', '')), site=self)