fix: 修复 private storage permission

jumpserver · Sep 11, 2023 · 0a58bba · 0a58bba
1 parent c5102e5
commit 0a58bba
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 7 deletions.
diff --git a/apps/common/permissions.py b/apps/common/permissions.py
@@ -12,7 +12,7 @@
 from orgs.utils import tmp_to_root_org
 
 
-class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
+class IsValidUser(permissions.IsAuthenticated):
     """Allows access to valid user, is active and not expired"""
 
     def has_permission(self, request, view):

diff --git a/apps/jumpserver/rewriting/storage/permissions.py b/apps/jumpserver/rewriting/storage/permissions.py
@@ -16,6 +16,8 @@ def allow_access(private_file):
     path_base = path_list[1] if len(path_list) > 1 else None
     path_perm = path_perms_map.get(path_base, None)
 
+    if ".." in request_path:
+        return False
     if not path_perm:
         return False
     if path_perm == '*' or request.user.has_perms([path_perm]):

diff --git a/apps/terminal/permissions.py b/apps/terminal/permissions.py
@@ -1,13 +1,15 @@
 from rest_framework import permissions
+
 from common.utils import get_logger
 
 logger = get_logger(__file__)
 
-
 __all__ = ['IsSessionAssignee']
 
 
-class IsSessionAssignee(permissions.BasePermission):
+class IsSessionAssignee(permissions.IsAuthenticated):
+    def has_permission(self, request, view):
+        return False
 
     def has_object_permission(self, request, view, obj):
         try:

diff --git a/apps/tickets/permissions/ticket.py b/apps/tickets/permissions/ticket.py
@@ -1,12 +1,12 @@
 from rest_framework import permissions
 
 
-class IsAssignee(permissions.BasePermission):
+class IsAssignee(permissions.IsAuthenticated):
     def has_object_permission(self, request, view, obj):
         return obj.has_current_assignee(request.user)
 
 
-class IsApplicant(permissions.BasePermission):
+class IsApplicant(permissions.IsAuthenticated):
 
     def has_object_permission(self, request, view, obj):
         return obj.applicant == request.user
diff --git a/apps/users/permissions.py b/apps/users/permissions.py
@@ -1,6 +1,5 @@
 from rest_framework import permissions
 
-from rbac.builtin import BuiltinRole
 from .utils import is_auth_password_time_valid
 
 
@@ -11,7 +10,7 @@ def has_permission(self, request, view):
             and is_auth_password_time_valid(request.session)
 
 
-class UserObjectPermission(permissions.BasePermission):
+class UserObjectPermission(permissions.IsAuthenticated):
 
     def has_object_permission(self, request, view, obj):
         if view.action not in ['update', 'partial_update', 'destroy']: