ag-admin/OpenSlides
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #3384 from FinnStutzenstein/SecureMedifiles

Browse Source 
Secure Mediafiles and check view permissions
This commit is contained in:
Norman Jäckel 2017-09-14 20:31:33 +02:00 committed by GitHub
commit 0eccd78b78
4 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG
View File

@ -85,6 +85,7 @@ Mediafiles:
- Fixed reloading of PDF on page change [#3274]. - Fixed reloading of PDF on page change [#3274].
- Custom CKEditor plugin for browsing mediafiles [#3337]. - Custom CKEditor plugin for browsing mediafiles [#3337].
- Project images always in fullscreen [#3355]. - Project images always in fullscreen [#3355].
- Protect mediafiles for forbidden access [#3384].
General: General:
- Several bugfixes and minor improvements. - Several bugfixes and minor improvements.

2
openslides/mediafiles/static/js/mediafiles/forms.js
View File

@ -75,8 +75,6 @@ angular.module('OpenSlidesApp.mediafiles.forms', [
type: 'checkbox', type: 'checkbox',
templateOptions: { templateOptions: {
label: gettextCatalog.getString('Hidden'), label: gettextCatalog.getString('Hidden'),
description: gettextCatalog.getString('This does not protect the ' +
'file but hides it for non authorized users.'),
}, },
hide: !operator.hasPerms('mediafiles.can_see_hidden'), hide: !operator.hasPerms('mediafiles.can_see_hidden'),
}, },

16
openslides/mediafiles/views.py
View File

@ -1,3 +1,6 @@
from django.http import HttpResponseForbidden, HttpResponseNotFound
from django.views.static import serve
from ..utils.auth import has_perm from ..utils.auth import has_perm
from ..utils.rest_api import ModelViewSet, ValidationError from ..utils.rest_api import ModelViewSet, ValidationError
from .access_permissions import MediafileAccessPermissions from .access_permissions import MediafileAccessPermissions
@ -66,3 +69,16 @@ class MediafileViewSet(ModelViewSet):
mediafile = self.get_object() mediafile = self.get_object()
mediafile.mediafile.storage.delete(mediafile.mediafile.name) mediafile.mediafile.storage.delete(mediafile.mediafile.name)
return super().destroy(request, *args, **kwargs) return super().destroy(request, *args, **kwargs)
def protected_serve(request, path, document_root=None, show_indexes=False):
try:
mediafile = Mediafile.objects.get(mediafile=path)
except Mediafile.DoesNotExist:
return HttpResponseNotFound(content="Not found.")
if (not has_perm(request.user, 'mediafiles.can_see') or
(mediafile.hidden and not has_perm(request.user, 'mediafiles.can_see_hidden'))):
return HttpResponseForbidden(content="Forbidden.")
else:
return serve(request, path, document_root, show_indexes)

4
openslides/urls.py
View File

@ -1,15 +1,15 @@
from django.conf import settings from django.conf import settings
from django.conf.urls import include, url from django.conf.urls import include, url
from django.views.generic import RedirectView from django.views.generic import RedirectView
from django.views.static import serve
from openslides.mediafiles.views import protected_serve
from openslides.utils.plugins import get_all_plugin_urlpatterns from openslides.utils.plugins import get_all_plugin_urlpatterns
from openslides.utils.rest_api import router from openslides.utils.rest_api import router
urlpatterns = get_all_plugin_urlpatterns() urlpatterns = get_all_plugin_urlpatterns()
urlpatterns += [ urlpatterns += [
url(r'^%s(?P<path>.*)$' % settings.MEDIA_URL.lstrip('/'), serve, {'document_root': settings.MEDIA_ROOT}), url(r'^%s(?P<path>.*)$' % settings.MEDIA_URL.lstrip('/'), protected_serve, {'document_root': settings.MEDIA_ROOT}),
url(r'^(?P<url>.*[^/])$', RedirectView.as_view(url='/%(url)s/', permanent=True)), url(r'^(?P<url>.*[^/])$', RedirectView.as_view(url='/%(url)s/', permanent=True)),
url(r'^rest/', include(router.urls)), url(r'^rest/', include(router.urls)),
url(r'^motions/', include('openslides.motions.urls')), url(r'^motions/', include('openslides.motions.urls')),