def stream_file(path_tail):
"""Stream the given file if authenticated and permitted.
Arg path_tail is the path to the file relative to config.FILE_ROOT.
Raise errors.InvalidRequestError if errors or malicious attempts are
discovered.
"""
catalog = auth.get_user_catalog(session['username'])
croot = _catalog_root(catalog)
log.info('%s (%s) is downloading %s' % (session['username'], catalog, path_tail))
full = os.path.join(croot, path_tail)
base = os.path.basename(full)
# validate before sending
error_msg = None
if not os.path.exists(full):
error_msg = 'file not found'
elif not os.path.isfile(full):
error_msg = 'request not a file'
elif re.search('\.\.', path_tail):
error_msg = 'request not allowed'
if error_msg:
log.warn('%s encountered error "%s"' % (session['username'], error_msg))
raise InvalidRequestError(error_msg)
else:
return send_file(full, attachment_filename=base, as_attachment=True)
def listdir(subdir=''):
"""List files in config.FILE_ROOT or an optional subdirectory."""
catalog = auth.get_user_catalog(session['username'])
croot = _catalog_root(catalog)
log.debug('%s (%s) is listing /%s' % (session['username'], catalog, subdir))
dr = Directory(croot)
entries = [e for e in dr.listing(subdir) if e.pathtype == 'file']
return entries
