Skip to content

Added fine grained permission checks #264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Added fine grained permission checks #264

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7d6b6d5
q!
AntonioAngelino Feb 18, 2015
3b5a969
q!
AntonioAngelino Feb 18, 2015
5adb1ad
Added ecplise project files to .gitignore
AntonioAngelino Feb 18, 2015
9cc2b8e
Removed Ecplise project files
AntonioAngelino Feb 18, 2015
73e4425
Fixed if condition
AntonioAngelino Feb 18, 2015
ffca8ce
Added all permission checks
AntonioAngelino Feb 18, 2015
6071746
Added all permission checks to sites.py
AntonioAngelino Feb 18, 2015
172d120
Removed "with Permission management", moved delete perm check under t…
AntonioAngelino Feb 18, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,7 @@ dist
*.egg-info
*.pot
.DS_store
fabfile.py
fabfile.py
.settings/
.project
.pydevproject
1 change: 1 addition & 0 deletions AUTHORS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ Axel Swoboda <[email protected]>
Klemens Mantzos <[email protected]>
Vaclav Mikolasek <[email protected]>
Tim Graham <[email protected]>
Antonio Angelino <[email protected]>
25 changes: 25 additions & 0 deletions filebrowser/permissions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
from django.db import models
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType


class FileBrowserPermissionManager(models.Manager):
def get_queryset(self):
return super(FileBrowserPermissionManager, self).\
get_queryset().filter(content_type__name='filebrowser_permission')


class FileBrowserPermission(Permission):
"""Permission for the file browser, not attached to a model"""

objects = FileBrowserPermissionManager()

class Meta:
proxy = True

def save(self, *args, **kwargs):
ct, created = ContentType.objects.get_or_create(
name="filebrowser", app_label=self._meta.app_label
)
self.content_type = ct
super(FileBrowserPermission, self).save(*args, **kwargs)
46 changes: 46 additions & 0 deletions filebrowser/sites.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
from django.template import RequestContext as Context
from django.http import HttpResponseRedirect, HttpResponseBadRequest
from django.contrib.admin.views.decorators import staff_member_required
from django.core.exceptions import PermissionDenied
from django.views.decorators.cache import never_cache
from django.utils.translation import ugettext as _
from django import forms
Expand Down Expand Up @@ -283,6 +284,10 @@ def urls(self):

def browse(self, request):
"Browse Files/Directories."

if not request.user.has_perm('filebrowser.can_list_files'):
raise PermissionDenied

filter_re = []
for exp in EXCLUDE:
filter_re.append(re.compile(exp))
Expand Down Expand Up @@ -360,6 +365,10 @@ def filter_browse(item):

def createdir(self, request):
"Create Directory"

if not request.user.has_perm('filebrowser.can_add_directories'):
raise PermissionDenied

from filebrowser.forms import CreateDirForm
query = request.GET
path = u'%s' % os.path.join(self.directory, query.get('dir', ''))
Expand Down Expand Up @@ -396,6 +405,10 @@ def createdir(self, request):

def upload(self, request):
"Multipe File Upload."

if not request.user.has_perm('filebrowser.can_add_files'):
raise PermissionDenied

query = request.GET

return render_to_response('filebrowser/upload.html', {
Expand All @@ -409,6 +422,10 @@ def upload(self, request):

def delete_confirm(self, request):
"Delete existing File/Directory."

if not request.user.has_perm('filebrowser.can_delete_files'):
raise PermissionDenied

query = request.GET
path = u'%s' % os.path.join(self.directory, query.get('dir', ''))
fileobject = FileObject(os.path.join(path, query.get('filename', '')), site=self)
Expand Down Expand Up @@ -442,6 +459,10 @@ def delete_confirm(self, request):

def delete(self, request):
"Delete existing File/Directory."

if not request.user.has_perm('filebrowser.can_delete_files'):
raise PermissionDenied

query = request.GET
path = u'%s' % os.path.join(self.directory, query.get('dir', ''))
fileobject = FileObject(os.path.join(path, query.get('filename', '')), site=self)
Expand All @@ -464,6 +485,10 @@ def detail(self, request):
Show detail page for a file.
Rename existing File/Directory (deletes existing Image Versions/Thumbnails).
"""

if not request.user.has_perm('filebrowser.can_view_files'):
raise PermissionDenied

from filebrowser.forms import ChangeForm
query = request.GET
path = u'%s' % os.path.join(self.directory, query.get('dir', ''))
Expand All @@ -477,19 +502,25 @@ def detail(self, request):
try:
action_response = None
if action_name:
if not request.user.has_perm('filebrowser.can_edit_files'):
raise PermissionDenied
action = self.get_action(action_name)
# Pre-action signal
signals.filebrowser_actions_pre_apply.send(sender=request, action_name=action_name, fileobject=[fileobject], site=self)
# Call the action to action
action_response = action(request=request, fileobjects=[fileobject])
# Post-action signal
signals.filebrowser_actions_post_apply.send(sender=request, action_name=action_name, fileobject=[fileobject], result=action_response, site=self)

if new_name != fileobject.filename:
if not request.user.has_perm('filebrowser.can_rename_files'):
raise PermissionDenied
signals.filebrowser_pre_rename.send(sender=request, path=fileobject.path, name=fileobject.filename, new_name=new_name, site=self)
fileobject.delete_versions()
self.storage.move(fileobject.path, os.path.join(fileobject.head, new_name))
signals.filebrowser_post_rename.send(sender=request, path=fileobject.path, name=fileobject.filename, new_name=new_name, site=self)
messages.add_message(request, messages.SUCCESS, _('Renaming was successful.'))

if isinstance(action_response, HttpResponse):
return action_response
if "_continue" in request.POST:
Expand Down Expand Up @@ -594,3 +625,18 @@ def _upload_file(self, request):
site.add_action(rotate_90_clockwise)
site.add_action(rotate_90_counterclockwise)
site.add_action(rotate_180)

#Load default permissions
from filebrowser.permissions import FileBrowserPermission
from django.db.utils import IntegrityError
try:
FileBrowserPermission.objects.create(codename="can_list_files", name="Can List Files") #OK
FileBrowserPermission.objects.create(codename="can_view_files", name="Can View Files") #OK
FileBrowserPermission.objects.create(codename="can_add_files", name="Can Add Files") #OK
FileBrowserPermission.objects.create(codename="can_edit_files", name="Can Edit Files") #OK
FileBrowserPermission.objects.create(codename="can_rename_files", name="Can Rename Files") #OK
FileBrowserPermission.objects.create(codename="can_delete_files", name="Can Delete Files") #OK
FileBrowserPermission.objects.create(codename="can_add_directories", name="Can Add Directories") #OK
except IntegrityError:
#Ok, they are still there!
pass