Secure Mediafiles and check view permissions

This commit is contained in:
FinnStutzenstein 2017-08-30 12:58:51 +02:00
parent 97a1431c32
commit ab1f745be2
4 changed files with 19 additions and 4 deletions

View File

@ -78,6 +78,7 @@ Mediafiles:
- Fixed reloading of PDF on page change [#3274]. - Fixed reloading of PDF on page change [#3274].
- Custom CKEditor plugin for browsing mediafiles [#3337]. - Custom CKEditor plugin for browsing mediafiles [#3337].
- Project images always in fullscreen [#3355]. - Project images always in fullscreen [#3355].
- Protect mediafiles for forbidden access [#3384].
General: General:
- Several bugfixes and minor improvements. - Several bugfixes and minor improvements.

View File

@ -75,8 +75,6 @@ angular.module('OpenSlidesApp.mediafiles.forms', [
type: 'checkbox', type: 'checkbox',
templateOptions: { templateOptions: {
label: gettextCatalog.getString('Hidden'), label: gettextCatalog.getString('Hidden'),
description: gettextCatalog.getString('This does not protect the ' +
'file but hides it for non authorized users.'),
}, },
hide: !operator.hasPerms('mediafiles.can_see_hidden'), hide: !operator.hasPerms('mediafiles.can_see_hidden'),
}, },

View File

@ -1,3 +1,6 @@
from django.http import HttpResponseForbidden, HttpResponseNotFound
from django.views.static import serve
from ..utils.auth import has_perm from ..utils.auth import has_perm
from ..utils.rest_api import ModelViewSet, ValidationError from ..utils.rest_api import ModelViewSet, ValidationError
from .access_permissions import MediafileAccessPermissions from .access_permissions import MediafileAccessPermissions
@ -66,3 +69,16 @@ class MediafileViewSet(ModelViewSet):
mediafile = self.get_object() mediafile = self.get_object()
mediafile.mediafile.storage.delete(mediafile.mediafile.name) mediafile.mediafile.storage.delete(mediafile.mediafile.name)
return super().destroy(request, *args, **kwargs) return super().destroy(request, *args, **kwargs)
def protected_serve(request, path, document_root=None, show_indexes=False):
try:
mediafile = Mediafile.objects.get(mediafile=path)
except Mediafile.DoesNotExist:
return HttpResponseNotFound(content="Not found.")
if (not has_perm(request.user, 'mediafiles.can_see') or
(mediafile.hidden and not has_perm(request.user, 'mediafiles.can_see_hidden'))):
return HttpResponseForbidden(content="Forbidden.")
else:
return serve(request, path, document_root, show_indexes)

View File

@ -1,15 +1,15 @@
from django.conf import settings from django.conf import settings
from django.conf.urls import include, url from django.conf.urls import include, url
from django.views.generic import RedirectView from django.views.generic import RedirectView
from django.views.static import serve
from openslides.mediafiles.views import protected_serve
from openslides.utils.plugins import get_all_plugin_urlpatterns from openslides.utils.plugins import get_all_plugin_urlpatterns
from openslides.utils.rest_api import router from openslides.utils.rest_api import router
urlpatterns = get_all_plugin_urlpatterns() urlpatterns = get_all_plugin_urlpatterns()
urlpatterns += [ urlpatterns += [
url(r'^%s(?P<path>.*)$' % settings.MEDIA_URL.lstrip('/'), serve, {'document_root': settings.MEDIA_ROOT}), url(r'^%s(?P<path>.*)$' % settings.MEDIA_URL.lstrip('/'), protected_serve, {'document_root': settings.MEDIA_ROOT}),
url(r'^(?P<url>.*[^/])$', RedirectView.as_view(url='/%(url)s/', permanent=True)), url(r'^(?P<url>.*[^/])$', RedirectView.as_view(url='/%(url)s/', permanent=True)),
url(r'^rest/', include(router.urls)), url(r'^rest/', include(router.urls)),
url(r'^motions/', include('openslides.motions.urls')), url(r'^motions/', include('openslides.motions.urls')),