def do_claim_attachments(message: Message, potential_path_ids: List[str]) -> bool: claimed = False for path_id in potential_path_ids: user_profile = message.sender is_message_realm_public = False is_message_web_public = False if message.is_stream_message(): stream = Stream.objects.get(id=message.recipient.type_id) is_message_realm_public = stream.is_public() is_message_web_public = stream.is_web_public if not validate_attachment_request(user_profile, path_id): # Technically, there are 2 cases here: # * The user put something in their message that has the form # of an upload, but doesn't correspond to a file that doesn't # exist. validate_attachment_request will return None. # * The user is trying to send a link to a file they don't have permission to # access themselves. validate_attachment_request will return False. # # Either case is unusual and suggests a UI bug that got # the user in this situation, so we log in these cases. logging.warning( "User %s tried to share upload %s in message %s, but lacks permission", user_profile.id, path_id, message.id, ) continue claimed = True attachment = claim_attachment( user_profile, path_id, message, is_message_realm_public, is_message_web_public ) notify_attachment_update(user_profile, "update", attachment.to_dict()) return claimed
def validate_thumbnail_request(user_profile: UserProfile, path: str) -> Optional[bool]: # path here does not have a leading / as it is parsed from request hitting the # thumbnail endpoint (defined in urls.py) that way. if path.startswith('user_uploads/'): path_id = path[len('user_uploads/'):] return validate_attachment_request(user_profile, path_id) # This is an external link and we don't enforce restricted view policy here. return True
def serve_file_backend(request: HttpRequest, user_profile: UserProfile, realm_id_str: str, filename: str) -> HttpResponse: path_id = "%s/%s" % (realm_id_str, filename) is_authorized = validate_attachment_request(user_profile, path_id) if is_authorized is None: return HttpResponseNotFound(_("<p>File not found.</p>")) if not is_authorized: return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>")) if settings.LOCAL_UPLOADS_DIR is not None: return serve_local(request, path_id) return serve_s3(request, path_id)
def serve_file_backend(request, user_profile, realm_id_str, filename): # type: (HttpRequest, UserProfile, str, str) -> HttpResponse path_id = "%s/%s" % (realm_id_str, filename) is_authorized = validate_attachment_request(user_profile, path_id) if is_authorized is None: return HttpResponseNotFound(_("<p>File not found.</p>")) if not is_authorized: return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>")) if settings.LOCAL_UPLOADS_DIR is not None: return serve_local(request, path_id) return serve_s3(request, path_id)
def serve_file(request: HttpRequest, user_profile: UserProfile, realm_id_str: str, filename: str, url_only: bool=False) -> HttpResponse: path_id = f"{realm_id_str}/{filename}" is_authorized = validate_attachment_request(user_profile, path_id) if is_authorized is None: return HttpResponseNotFound(_("<p>File not found.</p>")) if not is_authorized: return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>")) if settings.LOCAL_UPLOADS_DIR is not None: return serve_local(request, path_id, url_only) return serve_s3(request, path_id, url_only)
def serve_file( request: HttpRequest, maybe_user_profile: Union[UserProfile, AnonymousUser], realm_id_str: str, filename: str, url_only: bool = False, download: bool = False, ) -> HttpResponse: path_id = f"{realm_id_str}/{filename}" realm = get_valid_realm_from_request(request) is_authorized = validate_attachment_request(maybe_user_profile, path_id, realm) if is_authorized is None: return HttpResponseNotFound(_("<p>File not found.</p>")) if not is_authorized: return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>")) if settings.LOCAL_UPLOADS_DIR is not None: return serve_local(request, path_id, url_only, download=download) return serve_s3(request, path_id, url_only, download=download)