Added protection/permissions.
This commit is contained in:
@@ -43,10 +43,15 @@ feature -- Access
|
|||||||
-- List of permission ids, used by this module, and declared.
|
-- List of permission ids, used by this module, and declared.
|
||||||
do
|
do
|
||||||
Result := Precursor
|
Result := Precursor
|
||||||
Result.force ("admin files")
|
Result.force (admin_files_permission)
|
||||||
Result.force ("upload files")
|
Result.force (upload_files_permission)
|
||||||
|
Result.force (browse_files_permission)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
admin_files_permission: STRING = "admin files"
|
||||||
|
upload_files_permission: STRING = "upload files"
|
||||||
|
browse_files_permission: STRING = "browse files"
|
||||||
|
|
||||||
feature {CMS_API} -- Module Initialization
|
feature {CMS_API} -- Module Initialization
|
||||||
|
|
||||||
initialize (api: CMS_API)
|
initialize (api: CMS_API)
|
||||||
@@ -92,7 +97,7 @@ feature -- Access: router
|
|||||||
do
|
do
|
||||||
map_uri_template_agent (a_router, "/" + uploads_location, agent execute_upload (?, ?, a_api), Void) -- Accepts any method GET, HEAD, POST, PUT, DELETE, ...
|
map_uri_template_agent (a_router, "/" + uploads_location, agent execute_upload (?, ?, a_api), Void) -- Accepts any method GET, HEAD, POST, PUT, DELETE, ...
|
||||||
map_uri_template_agent (a_router, "/" + uploads_location + "{filename}", agent display_uploaded_file_info (?, ?, a_api), a_router.methods_get)
|
map_uri_template_agent (a_router, "/" + uploads_location + "{filename}", agent display_uploaded_file_info (?, ?, a_api), a_router.methods_get)
|
||||||
map_uri_template_agent (a_router, "/" + uploads_location + "remove/{filename}", agent remove (?, ?, a_api), a_router.methods_get)
|
map_uri_template_agent (a_router, "/" + uploads_location + "remove/{filename}", agent remove_file (?, ?, a_api), a_router.methods_get)
|
||||||
end
|
end
|
||||||
|
|
||||||
uploads_location: STRING = "upload/"
|
uploads_location: STRING = "upload/"
|
||||||
@@ -109,7 +114,7 @@ feature -- Hooks
|
|||||||
link: CMS_LOCAL_LINK
|
link: CMS_LOCAL_LINK
|
||||||
do
|
do
|
||||||
-- login in demo did somehow not work
|
-- login in demo did somehow not work
|
||||||
if a_response.has_permission ("upload files") then
|
if a_response.has_permission (upload_files_permission) then
|
||||||
create link.make ("Upload files", uploads_location)
|
create link.make ("Upload files", uploads_location)
|
||||||
a_menu_system.navigation_menu.extend (link)
|
a_menu_system.navigation_menu.extend (link)
|
||||||
end
|
end
|
||||||
@@ -133,13 +138,17 @@ feature -- Handler
|
|||||||
fn: READABLE_STRING_32
|
fn: READABLE_STRING_32
|
||||||
do
|
do
|
||||||
check req.is_get_request_method end
|
check req.is_get_request_method end
|
||||||
|
if not api.has_permission (browse_files_permission) then
|
||||||
|
create {FORBIDDEN_ERROR_CMS_RESPONSE} r.make (req, res, api)
|
||||||
|
r.add_error_message ("You are not allowed to browse CMS files!")
|
||||||
|
elseif attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
|
||||||
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
||||||
|
|
||||||
-- add style
|
-- add style
|
||||||
r.add_style (r.url ("/module/" + name + "/files/css/files.css", Void), Void)
|
r.add_style (r.url ("/module/" + name + "/files/css/files.css", Void), Void)
|
||||||
|
|
||||||
create body.make_empty
|
create body.make_empty
|
||||||
if attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
|
|
||||||
fn := p_filename.value
|
fn := p_filename.value
|
||||||
r.set_page_title ({STRING_32} "File %"" + fn + {STRING_32} "%"")
|
r.set_page_title ({STRING_32} "File %"" + fn + {STRING_32} "%"")
|
||||||
body.append ("<div class=%"uploaded-files%">%N") -- To ease css customization.
|
body.append ("<div class=%"uploaded-files%">%N") -- To ease css customization.
|
||||||
@@ -207,9 +216,13 @@ feature -- Handler
|
|||||||
body.append ("</div>%N") -- Overview
|
body.append ("</div>%N") -- Overview
|
||||||
end
|
end
|
||||||
body.append ("</div>%N")
|
body.append ("</div>%N")
|
||||||
end
|
|
||||||
r.add_to_primary_tabs (create {CMS_LOCAL_LINK}.make ("Uploaded files", uploads_location))
|
r.add_to_primary_tabs (create {CMS_LOCAL_LINK}.make ("Uploaded files", uploads_location))
|
||||||
r.set_main_content (body)
|
r.set_main_content (body)
|
||||||
|
else
|
||||||
|
create {BAD_REQUEST_ERROR_CMS_RESPONSE} r.make (req, res, api)
|
||||||
|
r.set_main_content ("Missing 'filename' field value!")
|
||||||
|
end
|
||||||
r.execute
|
r.execute
|
||||||
end
|
end
|
||||||
|
|
||||||
@@ -231,7 +244,7 @@ feature -- Handler
|
|||||||
r.add_javascript_url (r.url ("/module/" + name + "/files/js/dropzone.js", void))
|
r.add_javascript_url (r.url ("/module/" + name + "/files/js/dropzone.js", void))
|
||||||
r.add_style (r.url ("/module/" + name + "/files/js/dropzone.css", void), void)
|
r.add_style (r.url ("/module/" + name + "/files/js/dropzone.css", void), void)
|
||||||
|
|
||||||
if r.has_permission ("upload files") then
|
if api.has_permission (upload_files_permission) then
|
||||||
-- create body
|
-- create body
|
||||||
body.append ("<p>Please choose some file(s) to upload.</p>")
|
body.append ("<p>Please choose some file(s) to upload.</p>")
|
||||||
|
|
||||||
@@ -249,8 +262,11 @@ feature -- Handler
|
|||||||
end
|
end
|
||||||
|
|
||||||
-- Build the response.
|
-- Build the response.
|
||||||
|
if r.has_permission (browse_files_permission) then
|
||||||
append_uploaded_file_album_to (req, api, body)
|
append_uploaded_file_album_to (req, api, body)
|
||||||
|
else
|
||||||
|
r.add_warning_message ("You are not allowed to browse files!")
|
||||||
|
end
|
||||||
|
|
||||||
r.set_main_content (body)
|
r.set_main_content (body)
|
||||||
else
|
else
|
||||||
@@ -260,7 +276,9 @@ feature -- Handler
|
|||||||
end
|
end
|
||||||
|
|
||||||
process_uploaded_files (req: WSF_REQUEST; api: CMS_API; a_output: STRING)
|
process_uploaded_files (req: WSF_REQUEST; api: CMS_API; a_output: STRING)
|
||||||
-- show all newly uploaded files
|
-- Process http request uploaded files.
|
||||||
|
require
|
||||||
|
has_permission: api.has_permission (upload_files_permission)
|
||||||
local
|
local
|
||||||
l_uploaded_file: CMS_UPLOADED_FILE
|
l_uploaded_file: CMS_UPLOADED_FILE
|
||||||
uf: WSF_UPLOADED_FILE
|
uf: WSF_UPLOADED_FILE
|
||||||
@@ -406,15 +424,17 @@ feature -- Handler
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
remove (req: WSF_REQUEST; res: WSF_RESPONSE; api: CMS_API)
|
remove_file (req: WSF_REQUEST; res: WSF_RESPONSE; api: CMS_API)
|
||||||
local
|
local
|
||||||
body: STRING
|
body: STRING
|
||||||
r: CMS_RESPONSE
|
r: CMS_RESPONSE
|
||||||
err: BOOLEAN
|
err: BOOLEAN
|
||||||
do
|
do
|
||||||
|
|
||||||
if attached files_api as l_files_api then
|
if attached files_api as l_files_api then
|
||||||
if attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
|
if not api.has_permission (admin_files_permission) then
|
||||||
|
create {FORBIDDEN_ERROR_CMS_RESPONSE} r.make (req, res, api)
|
||||||
|
r.add_error_message ("You are not allowed to remove file!")
|
||||||
|
elseif attached {WSF_STRING} req.path_parameter ("filename") as p_filename then
|
||||||
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
||||||
|
|
||||||
l_files_api.delete_file (p_filename.value)
|
l_files_api.delete_file (p_filename.value)
|
||||||
|
|||||||
Reference in New Issue
Block a user