def stream_file(path_tail): """Stream the given file if authenticated and permitted. Arg path_tail is the path to the file relative to config.FILE_ROOT. Raise errors.InvalidRequestError if errors or malicious attempts are discovered. """ catalog = auth.get_user_catalog(session['username']) croot = _catalog_root(catalog) log.info('%s (%s) is downloading %s' % (session['username'], catalog, path_tail)) full = os.path.join(croot, path_tail) base = os.path.basename(full) # validate before sending error_msg = None if not os.path.exists(full): error_msg = 'file not found' elif not os.path.isfile(full): error_msg = 'request not a file' elif re.search('\.\.', path_tail): error_msg = 'request not allowed' if error_msg: log.warn('%s encountered error "%s"' % (session['username'], error_msg)) raise InvalidRequestError(error_msg) else: return send_file(full, attachment_filename=base, as_attachment=True)
def listdir(subdir=''): """List files in config.FILE_ROOT or an optional subdirectory.""" catalog = auth.get_user_catalog(session['username']) croot = _catalog_root(catalog) log.debug('%s (%s) is listing /%s' % (session['username'], catalog, subdir)) dr = Directory(croot) entries = [e for e in dr.listing(subdir) if e.pathtype == 'file'] return entries