From 75332c148dec4786f36f72d5d31b01d77e1ec1fb Mon Sep 17 00:00:00 2001
From: Jocelyn Fiat <git@djoce.net>
Date: Wed, 17 Feb 2016 12:24:58 +0100
Subject: [PATCH] Added protection/permissions.

---
 modules/files/cms_files_module.e | 56 ++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 18 deletions(-)

diff --git a/modules/files/cms_files_module.e b/modules/files/cms_files_module.e
index b2a1c46..89d8f21 100644
--- a/modules/files/cms_files_module.e
+++ b/modules/files/cms_files_module.e
@@ -43,10 +43,15 @@ feature -- Access
 			-- List of permission ids, used by this module, and declared.
 		do
 			Result := Precursor
-			Result.force ("admin files")
-			Result.force ("upload files")
+			Result.force (admin_files_permission)
+			Result.force (upload_files_permission)
+			Result.force (browse_files_permission)
 		end
 
+	admin_files_permission: STRING = "admin files"
+	upload_files_permission: STRING = "upload files"
+	browse_files_permission: STRING = "browse files"
+
 feature {CMS_API} -- Module Initialization
 
 	initialize (api: CMS_API)
@@ -92,7 +97,7 @@ feature -- Access: router
 		do
 			map_uri_template_agent (a_router, "/" + uploads_location, agent execute_upload (?, ?, a_api), Void) -- Accepts any method GET, HEAD, POST, PUT, DELETE, ...
 			map_uri_template_agent (a_router, "/" + uploads_location + "{filename}", agent display_uploaded_file_info (?, ?, a_api), a_router.methods_get)
-			map_uri_template_agent (a_router, "/" + uploads_location + "remove/{filename}", agent remove (?, ?, a_api), a_router.methods_get)
+			map_uri_template_agent (a_router, "/" + uploads_location + "remove/{filename}", agent remove_file (?, ?, a_api), a_router.methods_get)
 		end
 
 	uploads_location: STRING = "upload/"
@@ -109,7 +114,7 @@ feature -- Hooks
 			link: CMS_LOCAL_LINK
 		do
 			-- login in demo did somehow not work
-			if a_response.has_permission ("upload files") then
+			if a_response.has_permission (upload_files_permission) then
 				create link.make ("Upload files", uploads_location)
 				a_menu_system.navigation_menu.extend (link)
 			end
@@ -133,13 +138,17 @@ feature -- Handler
 			fn: READABLE_STRING_32
 		do
 			check req.is_get_request_method end
-			create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
+			if not api.has_permission (browse_files_permission) then
+				create {FORBIDDEN_ERROR_CMS_RESPONSE} r.make (req, res, api)
+				r.add_error_message ("You are not allowed to browse CMS files!")
+			elseif attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
+				create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
 
-				-- add style
-			r.add_style (r.url ("/module/" + name + "/files/css/files.css", Void), Void)
+					-- add style
+				r.add_style (r.url ("/module/" + name + "/files/css/files.css", Void), Void)
+
+				create body.make_empty
 
-			create body.make_empty
-			if attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
 				fn := p_filename.value
 				r.set_page_title ({STRING_32} "File %"" + fn + {STRING_32} "%"")
 				body.append ("<div class=%"uploaded-files%">%N") -- To ease css customization.
@@ -207,9 +216,13 @@ feature -- Handler
 					body.append ("</div>%N") -- Overview
 				end
 				body.append ("</div>%N")
+
+				r.add_to_primary_tabs (create {CMS_LOCAL_LINK}.make ("Uploaded files", uploads_location))
+				r.set_main_content (body)
+			else
+				create {BAD_REQUEST_ERROR_CMS_RESPONSE} r.make (req, res, api)
+				r.set_main_content ("Missing 'filename' field value!")
 			end
-			r.add_to_primary_tabs (create {CMS_LOCAL_LINK}.make ("Uploaded files", uploads_location))
-			r.set_main_content (body)
 			r.execute
 		end
 
@@ -231,7 +244,7 @@ feature -- Handler
 				r.add_javascript_url (r.url ("/module/" + name + "/files/js/dropzone.js", void))
 				r.add_style (r.url ("/module/" + name + "/files/js/dropzone.css", void), void)
 
-				if r.has_permission ("upload files") then
+				if api.has_permission (upload_files_permission) then
 						-- create body
 					body.append ("<p>Please choose some file(s) to upload.</p>")
 
@@ -249,8 +262,11 @@ feature -- Handler
 				end
 
 					-- Build the response.
-
-				append_uploaded_file_album_to (req, api, body)
+				if r.has_permission (browse_files_permission) then
+					append_uploaded_file_album_to (req, api, body)
+				else
+					r.add_warning_message ("You are not allowed to browse files!")
+				end
 
 				r.set_main_content (body)
 			else
@@ -260,7 +276,9 @@ feature -- Handler
 		end
 
 	process_uploaded_files (req: WSF_REQUEST; api: CMS_API; a_output: STRING)
-			-- show all newly uploaded files
+			-- Process http request uploaded files.
+		require
+			has_permission: api.has_permission (upload_files_permission)
 		local
 			l_uploaded_file: CMS_UPLOADED_FILE
 			uf: WSF_UPLOADED_FILE
@@ -406,15 +424,17 @@ feature -- Handler
 			end
 		end
 
-	remove (req: WSF_REQUEST; res: WSF_RESPONSE; api: CMS_API)
+	remove_file (req: WSF_REQUEST; res: WSF_RESPONSE; api: CMS_API)
 		local
 			body: STRING
 			r: CMS_RESPONSE
 			err: BOOLEAN
 		do
-
 			if attached files_api as l_files_api then
-				if attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
+				if not api.has_permission (admin_files_permission) then
+					create {FORBIDDEN_ERROR_CMS_RESPONSE} r.make (req, res, api)
+					r.add_error_message ("You are not allowed to remove file!")
+				elseif attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
 					create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
 
 					l_files_api.delete_file (p_filename.value)