def test_protect_path(aaa): """I want to get a clean safe path inside one of the configured authorized paths""" t.root_dir = "/tmp/test/files" aaa.current_user.username = "******" val = t.protect_path("some/rel/path") assert (val == path.join(t.root_dir, "usertest", "files", "some/rel/path"), "We should get ...") val = t.protect_path("some/rel/path", "config") assert val == path.join(t.root_dir, "usertest", "config", "some/rel/path") try: val = t.protect_path("/some/rel/path", "config") assert (False, "We shouldn't be allowed to acces an" "absolute path outside of permitted scope") except: pass
def _delete_shared_path(path='.'): """ We delete .../user/shares/<uid> and .../user/config/<path>/<uid> """ uid = basename(path) folder = dirname(path) abs_folder_path = protect_path(folder) config_folder_path = protect_path(path, 'config') config_uid_path = protect_path(uid, 'config') try: delete_path(config_folder_path) delete_path(config_uid_path) return relist_parent_folder(abs_folder_path) except OSError: abort(404)
def api_delete_path(path='.'): """Return a list of files in a path if permitted """ real_path = protect_path(path) try: delete_path(real_path) return relist_parent_folder(real_path) except OSError: abort(404)
def list_path(path='.'): """Return a list of files in a path if permitted """ try: real_path = protect_path(path) except IOError: abort(403, PATH_ERROR) if request.GET.get('format', 'raw').strip() == 'zip': print('got zip') archive = archive_path(real_path) return list_dir(archive) return list_dir(real_path)
def create(path='.'): """Create a folder or a file""" real_path = protect_path(path) file_type = post_get('type') overwrite = post_get('overwrite') or False uploads = request.files # if not validate_path(path): # abort(403, "You cannot create a sub-folder or a file with " # "the same name as it's parent's 'sharing' name" # "{}".format(basename(path))) create_path(real_path) if file_type == "file": for f in uploads: uploads.get(f).save( real_path, overwrite=overwrite) elif file_type == 'dir': pass return {'status': 'ok'}
def share(path="."): """Share a file or a folder""" reuse = post_get('reuse') or None # print(reuse) public = post_get('public') users = post_get('users') # .../user/config path_config = permitted_config_path() # .../user/shares uidshares_config = permitted_shares_path() # /.../user/files/.... real_path = protect_path(path) try: # /.../user/files # get relative path, to use in configuration path rel_shared_path = relpath(real_path, permitted_files_path()) except IOError: abort(403, PATH_ERROR) if reuse is not None: try: shared_path = get_config(reuse, 'path', 'shares') except IOError: abort(400, "This sharing ID is invalid") if shared_path != rel_shared_path: abort(400, "This sharing ID is invalid") else: uid, uid_path = create_random_folder() # create .../user/config/rel/path/UID print('uid {} Uid_path {}'.format(reuse or uid, uid_path)) print('*' * 80) print((uidshares_config, rel_shared_path, reuse or uid, rel_shared_path)) print('*' * 80) configure( path_config, rel_shared_path, reuse or uid, rel_shared_path) # configure .../user/shares/UID/ configure(uidshares_config, uid_path, 'path', real_path) configure(uidshares_config, uid_path, 'public', public) configure(uidshares_config, uid_path, 'users', users) return relist_parent_folder(real_path)