Skip to content

F
flask-admin
Commit 9399b340 authored by Serge S. Koval's avatar Serge S. Koval
Browse files
Options

is_accessible_path fixes

parent d6d3ca14
Hide whitespace changes
Inline Side-by-side
Showing with 38 additions and 6 deletions
flask_admin/contrib/fileadmin.py
View file @ 9399b340
...@@ -418,6 +418,10 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -418,6 +418,10 @@ class FileAdmin(BaseView, ActionsMixin):
# Get path and verify if it is valid # Get path and verify if it is valid
base_path, directory, path = self._normalize_path(path) base_path, directory, path = self._normalize_path(path)
if not self.is_accessible_path(path):
flash(gettext(gettext('Permission denied.')))
return redirect(self._get_dir_url('.index'))
# Get directory listing # Get directory listing
items = [] items = []
...@@ -431,8 +435,10 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -431,8 +435,10 @@ class FileAdmin(BaseView, ActionsMixin):
for f in os.listdir(directory): for f in os.listdir(directory):
fp = op.join(directory, f) fp = op.join(directory, f)
rel_path = op.join(path, f)
items.append((f, op.join(path, f), op.isdir(fp), op.getsize(fp))) if self.is_accessible_path(rel_path):
items.append((f, rel_path, op.isdir(fp), op.getsize(fp)))
# Sort by name # Sort by name
items.sort(key=itemgetter(0)) items.sort(key=itemgetter(0))
...@@ -475,6 +481,10 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -475,6 +481,10 @@ class FileAdmin(BaseView, ActionsMixin):
flash(gettext('File uploading is disabled.'), 'error') flash(gettext('File uploading is disabled.'), 'error')
return redirect(self._get_dir_url('.index', path)) return redirect(self._get_dir_url('.index', path))
if not self.is_accessible_path(path):
flash(gettext(gettext('Permission denied.')))
return redirect(self._get_dir_url('.index'))
form = UploadForm(self) form = UploadForm(self)
if helpers.validate_form_on_submit(form): if helpers.validate_form_on_submit(form):
filename = op.join(directory, filename = op.join(directory,
...@@ -511,6 +521,10 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -511,6 +521,10 @@ class FileAdmin(BaseView, ActionsMixin):
flash(gettext('Directory creation is disabled.'), 'error') flash(gettext('Directory creation is disabled.'), 'error')
return redirect(dir_url) return redirect(dir_url)
if not self.is_accessible_path(path):
flash(gettext(gettext('Permission denied.')))
return redirect(self._get_dir_url('.index'))
form = NameForm(helpers.get_form_data()) form = NameForm(helpers.get_form_data())
if helpers.validate_form_on_submit(form): if helpers.validate_form_on_submit(form):
...@@ -544,6 +558,10 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -544,6 +558,10 @@ class FileAdmin(BaseView, ActionsMixin):
flash(gettext('Deletion is disabled.')) flash(gettext('Deletion is disabled.'))
return redirect(return_url) return redirect(return_url)
if not self.is_accessible_path(path):
flash(gettext(gettext('Permission denied.')))
return redirect(self._get_dir_url('.index'))
if op.isdir(full_path): if op.isdir(full_path):
if not self.can_delete_dirs: if not self.can_delete_dirs:
flash(gettext('Directory deletion is disabled.')) flash(gettext('Directory deletion is disabled.'))
...@@ -583,6 +601,10 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -583,6 +601,10 @@ class FileAdmin(BaseView, ActionsMixin):
flash(gettext('Renaming is disabled.')) flash(gettext('Renaming is disabled.'))
return redirect(return_url) return redirect(return_url)
if not self.is_accessible_path(path):
flash(gettext(gettext('Permission denied.')))
return redirect(self._get_dir_url('.index'))
if not op.exists(full_path): if not op.exists(full_path):
flash(gettext('Path does not exist.')) flash(gettext('Path does not exist.'))
return redirect(return_url) return redirect(return_url)
...@@ -624,6 +646,11 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -624,6 +646,11 @@ class FileAdmin(BaseView, ActionsMixin):
path = path[0] path = path[0]
base_path, full_path, path = self._normalize_path(path) base_path, full_path, path = self._normalize_path(path)
if not self.is_accessible_path(path):
flash(gettext(gettext('Permission denied.')))
return redirect(self._get_dir_url('.index'))
dir_url = self._get_dir_url('.index', os.path.dirname(path)) dir_url = self._get_dir_url('.index', os.path.dirname(path))
next_url = next_url or dir_url next_url = next_url or dir_url
...@@ -677,14 +704,19 @@ class FileAdmin(BaseView, ActionsMixin): ...@@ -677,14 +704,19 @@ class FileAdmin(BaseView, ActionsMixin):
lazy_gettext('Delete'), lazy_gettext('Delete'),
lazy_gettext('Are you sure you want to delete these files?')) lazy_gettext('Are you sure you want to delete these files?'))
def action_delete(self, items): def action_delete(self, items):
if not self.can_delete:
flash(gettext('File deletion is disabled.'), 'error')
return
for path in items: for path in items:
base_path, full_path, path = self._normalize_path(path) base_path, full_path, path = self._normalize_path(path)
try: if self.is_accessible_path(path):
os.remove(full_path) try:
flash(gettext('File "%(name)s" was successfully deleted.', name=path)) os.remove(full_path)
except Exception as ex: flash(gettext('File "%(name)s" was successfully deleted.', name=path))
flash(gettext('Failed to delete file: %(name)s', name=ex), 'error') except Exception as ex:
flash(gettext('Failed to delete file: %(name)s', name=ex), 'error')
@action('edit', lazy_gettext('Edit')) @action('edit', lazy_gettext('Edit'))
def action_edit(self, items): def action_edit(self, items):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment