New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: respect upload and directory listing permissions #1352
Conversation
…r`, `add_file` permissions
Codecov Report
@@ Coverage Diff @@
## master #1352 +/- ##
==========================================
- Coverage 72.39% 72.35% -0.05%
==========================================
Files 72 72
Lines 3268 3277 +9
Branches 532 534 +2
==========================================
+ Hits 2366 2371 +5
- Misses 735 739 +4
Partials 167 167
|
tests/test_admin.py
Outdated
'Filedata': file_obj, | ||
'jsessionid': self.client.session.session_key | ||
} | ||
response = self.client.post(url, post_data, **extra_headers) # noqa |
Check notice
Code scanning / CodeQL
Unused local variable Note
'admin:filer-ajax_upload', | ||
kwargs={'folder_id': folder.pk} | ||
) + '?filename=%s' % self.image_name | ||
response = self.client.post( # noqa |
Check notice
Code scanning / CodeQL
Unused local variable Note
* fix: respect `can_use_directory_listing`, `change_folder`, `add_folder`, `add_file` permissions * Update tests * fix flake8 error * Close files in tests * Add test for has_... permissions of File and Folder class * Remove unused variables from tests * Remove unnecessary noqa
Description
This PR fixes a security issue: A staff user without any permissions
Thanks to Akshar Tank for reporting this issue.
Fix
This fix enforces the following permissions
can_use_directory_listing
change_folder
add_folder
add_file
(also for drag&drop upload)Desired side effects
add_file
to upload filescan_use_directory_listing
to browse the filer foldersRelated resources
Checklist
master
Slack to find a “pr review buddy” who is going to review my pull request.