def wrapped_f(*args, **kwargs): from bioshareX.models import Share share = kwargs.get(self.share_param, None) if share: if not isinstance(kwargs[self.share_param], Share): try: share = Share.get_by_slug_or_id(share) except Share.DoesNotExist: return render( args[0], 'errors/message.html', {'message': 'No share with that ID exists.'}, status=500) if not paths_contain(settings.DIRECTORY_WHITELIST, share.get_realpath()): raise Exception('Share has an invalid root path: %s' % share.get_realpath()) path = kwargs.get(self.path_param, None) if path is not None: test_path(path) if share: full_path = os.path.join(share.get_path(), path) if not paths_contain(settings.DIRECTORY_WHITELIST, full_path): raise Exception('Illegal path encountered, %s, %s' % (share.get_path(), path)) return f(*args, **kwargs)
def wrapped_f(*args, **kwargs): from bioshareX.models import Share try: share = Share.get_by_slug_or_id(kwargs[self.share_param]) except Share.DoesNotExist: return render(args[0], 'errors/message.html', {'message': 'No share with that ID exists.'}, status=500) kwargs[self.share_param] = share request = args[0] user_permissions = share.get_user_permissions(request.user) for perm in self.perms: if not share.secure and perm in [ 'view_share_files', 'download_share_files' ]: continue if not perm in user_permissions: if request.is_ajax(): if not request.user.is_authenticated(): return JsonResponse( { 'status': 'error', 'unauthenticated': True, 'errors': [ 'You do not have access to this resource.' ] }, status=status.HTTP_401_UNAUTHORIZED) return json_error({ 'status': 'error', 'unauthenticated': True, 'errors': ['You do not have access to this resource.'] }) else: return json_error( ['You do not have access to this resource.']) else: if not request.user.is_authenticated(): url = reverse( 'login' ) + '?next=%s' % request.get_full_path() return redirect(url) return redirect('forbidden') return f(*args, **kwargs)
def wrapped_f(*args,**kwargs): from bioshareX.models import Share share = kwargs.get(self.share_param,None) if share: if not isinstance(kwargs[self.share_param], Share): share = Share.get_by_slug_or_id(share) if not paths_contain(settings.DIRECTORY_WHITELIST,share.get_realpath()): raise Exception('Share has an invalid root path: %s'%share.get_realpath()) path = kwargs.get(self.path_param,None) if path is not None: test_path(path) if share: full_path = os.path.join(share.get_path(),path) if not paths_contain(settings.DIRECTORY_WHITELIST,full_path): raise Exception('Illegal path encountered, %s, %s'%(share.get_path(),path)) return f(*args,**kwargs)
def _get_share(self,path): parts = path.split(os.path.sep) if len(parts) < 2: print 'bad length' raise PermissionDenied("Received an invalid path: %s"%path) if not self.shares.has_key(parts[1]) and self.user.id == -1: #Anonymous users don't yet have a dictionary of shares. try: share = Share.get_by_slug_or_id(parts[1]) self.shares[share.slug_or_id] = share except: pass if not self.shares.has_key(parts[1]): print 'no share exists' print path raise PermissionDenied("Share does not exist: %s"%path[1]) return self.shares[parts[1]]
def wrapped_f(*args,**kwargs): from bioshareX.models import Share share = Share.get_by_slug_or_id(kwargs[self.share_param]) kwargs[self.share_param]=share request = args[0] user_permissions = share.get_user_permissions(request.user) for perm in self.perms: if not share.secure and perm in ['view_share_files','download_share_files']: continue if not perm in user_permissions: if request.is_ajax(): if not request.user.is_authenticated(): return JsonResponse({'status':'error','unauthenticated':True,'errors':['You do not have access to this resource.']},status=status.HTTP_401_UNAUTHORIZED) return json_error({'status':'error','unauthenticated':True,'errors':['You do not have access to this resource.']}) else: return json_error(['You do not have access to this resource.']) else: if not request.user.is_authenticated(): url = reverse('login') + '?next=%s' % request.get_full_path() return redirect(url) return redirect('forbidden') return f(*args,**kwargs)