def test_delete(self):
""" Students should not be able to delete files. A deletion should work.
"""
self.assertFalse(ExternalFile.can(self.file1, self.user1, 'delete'))
self.assertTrue(ExternalFile.can(self.file1, self.staff1, 'delete'))
self.file1.delete()
self.assertTrue(self.file1.deleted)
def test_delete(self):
""" Students should not be able to delete files. A deletion should work.
"""
self.assertFalse(ExternalFile.can(self.file1, self.user1, 'delete'))
self.assertTrue(ExternalFile.can(self.file1, self.staff1, 'delete'))
self.file1.delete()
self.assertTrue(self.file1.deleted)
def file_download(file_id, user):
ext_file = ExternalFile.query.filter_by(id=file_id, deleted=False).first()
if not ext_file or not ExternalFile.can(ext_file, user, 'download'):
logger.info("Access file without permission by {0}".format(user.email))
abort(404)
try:
storage_obj = ext_file.object()
except libcloud.common.types.InvalidCredsError:
logger.warning("Could not get file {0} - {1}".format(file_id, ext_file.filename),
exc_info=True)
storage_obj = None
if storage_obj is None:
abort(404, "File does not exist")
basename = os.path.basename(ext_file.filename)
# Do not use .download_url for local storage.
if storage.provider == libcloud.storage.types.Provider.LOCAL:
response = Response(storage.get_object_stream(storage_obj),
mimetype=ext_file.mimetype)
response.headers["Content-Security-Policy"] = "default-src 'none';"
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["Content-Disposition"] = ("attachment; filename={0!s}"
.format(basename))
return response
else:
postpend = '&'
if request.args.get('raw'):
postpend += urlencode({'response-content-type': ext_file.mimetype})
elif request.args.get('download'):
postpend += urlencode({'response-content-disposition': 'attachment',
'filename': basename})
url = storage.get_blob_url(storage_obj.name)
return redirect(url + postpend)
def test_permission(self):
# Students can not access files of staff
self.assertTrue(ExternalFile.can(self.file1, self.staff1, 'download'))
self.assertFalse(ExternalFile.can(self.file1, self.user1, 'download'))
self.assertFalse(ExternalFile.can(self.file1, self.lab_assistant1, 'download'))
# Staff and student can access student files
self.assertTrue(ExternalFile.can(self.file2, self.user1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.staff1, 'download'))
self.assertFalse(ExternalFile.can(self.file2, self.user2, 'download'))
def test_permission(self):
# Students can not access files of staff
self.assertTrue(ExternalFile.can(self.file1, self.staff1, 'download'))
self.assertFalse(ExternalFile.can(self.file1, self.user1, 'download'))
self.assertFalse(ExternalFile.can(self.file1, self.lab_assistant1, 'download'))
# Staff and student can access student files
self.assertTrue(ExternalFile.can(self.file2, self.user1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.staff1, 'download'))
self.assertFalse(ExternalFile.can(self.file2, self.user2, 'download'))
def test_group_permission(self):
Group.invite(self.user1, self.user2, self.assignment)
group = Group.lookup(self.user1, self.assignment)
# Only the original creator and staff can accept the files
self.assertTrue(ExternalFile.can(self.file2, self.user1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.staff1, 'download'))
self.assertFalse(ExternalFile.can(self.file2, self.user2, 'download'))
group.accept(self.user2)
# Now all group members can access the files
self.assertTrue(ExternalFile.can(self.file2, self.user1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.staff1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.user2, 'download'))
self.assertFalse(ExternalFile.can(self.file2, self.user3, 'download'))
def test_group_permission(self):
Group.invite(self.user1, self.user2, self.assignment)
group = Group.lookup(self.user1, self.assignment)
# Only the original creator and staff can accept the files
self.assertTrue(ExternalFile.can(self.file2, self.user1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.staff1, 'download'))
self.assertFalse(ExternalFile.can(self.file2, self.user2, 'download'))
group.accept(self.user2)
# Now all group members can access the files
self.assertTrue(ExternalFile.can(self.file2, self.user1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.staff1, 'download'))
self.assertTrue(ExternalFile.can(self.file2, self.user2, 'download'))
self.assertFalse(ExternalFile.can(self.file2, self.user3, 'download'))
def file_download(file_id, user):
ext_file = ExternalFile.query.filter_by(id=file_id, deleted=False).first()
if not ext_file or not ExternalFile.can(ext_file, user, 'download'):
logger.info("Access file without permission by {0}".format(user.email))
abort(404)
try:
storage_obj = ext_file.object()
except libcloud.common.types.InvalidCredsError:
logger.warning("Could not get file {0} - {1}".format(
file_id, ext_file.filename),
exc_info=True)
storage_obj = None
if storage_obj is None:
abort(404, "File does not exist")
basename = os.path.basename(ext_file.filename)
# Do not use .download_url for local storage.
if storage.provider == libcloud.storage.types.Provider.LOCAL:
response = Response(storage.get_object_stream(storage_obj),
mimetype=ext_file.mimetype)
response.headers["Content-Security-Policy"] = "default-src 'none';"
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["Content-Disposition"] = (
"attachment; filename={0!s}".format(basename))
return response
else:
postpend = '&'
if request.args.get('raw'):
postpend += urlencode({'response-content-type': ext_file.mimetype})
elif request.args.get('download'):
postpend += urlencode({
'response-content-disposition': 'attachment',
'filename': basename
})
url = storage.get_blob_url(storage_obj.name)
return redirect(url + postpend)