fix(2.2.x backport): respect upload and directory listing permissions (#1527)

fdintino · fsbraun · web-flow · commit 330d1dacb0b5 · 2025-06-10T22:17:21.000+02:00
* fix: respect upload and directory listing permissions (#1352) * fix: respect `can_use_directory_listing`, `change_folder`, `add_folder`, `add_file` permissions * Update tests * fix flake8 error * Close files in tests * Add test for has_... permissions of File and Folder class * Remove unused variables from tests * Remove unnecessary noqa * Run isort * ci: use ubuntu-latest runner in gha actions * update dependencies and tox matrix to something workable --------- Co-authored-by: Fabian Braun <fsbraun@gmx.de>
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -4,7 +4,7 @@ on: [push]
 
 jobs:
   gulp:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     strategy:
       matrix:
         node-version: [14.15.x]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [ '3.7', '3.8', '3.9', '3.10', '3.11' ]
+        python-version: [ '3.8', '3.9', '3.10', '3.11' ]
         requirements-file: [
           django-2.2.txt,
           django-3.0.txt,
@@ -19,12 +19,6 @@ jobs:
           django-4.2.txt,
         ]
         exclude:
-          - python-version: 3.7
-            requirements-file: django-4.0.txt
-          - python-version: 3.7
-            requirements-file: django-4.1.txt
-          - python-version: 3.7
-            requirements-file: django-4.2.txt
           - python-version: 3.9
             requirements-file: django-2.2.txt
           - python-version: 3.10
@@ -40,7 +34,7 @@ jobs:
           - python-version: 3.11
             requirements-file: django-3.1.txt
         os: [
-          ubuntu-20.04,
+          ubuntu-latest,
         ]
 
     steps:
@@ -50,7 +44,7 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
     - name: library prerequisites
-      run: sudo apt-get install python-dev libpq-dev libmagic1 gcc libxml2-dev libxslt1-dev libjpeg62 libopenjp2-7 -y
+      run: sudo apt-get install python-dev-is-python3 libpq-dev libmagic1 gcc libxml2-dev libxslt1-dev libjpeg62 libopenjp2-7 -y
     - name: Install extra dependencies
       run: pip install lxml
       if: matrix.python-version == '3.10'
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
@@ -7,7 +7,7 @@ version: 2
 
 # Set the version of Python and other tools you might need
 build:
-  os: ubuntu-20.04
+  os: ubuntu-latest
   tools:
     python: "3.9"
     # You can also specify other tool versions:
diff --git a/filer/admin/clipboardadmin.py b/filer/admin/clipboardadmin.py
@@ -1,7 +1,8 @@
-from django.contrib import admin
+from django.contrib import admin, messages
 from django.forms.models import modelform_factory
 from django.http import JsonResponse
 from django.urls import path
+from django.utils.translation import gettext_lazy as _
 from django.views.decorators.csrf import csrf_exempt
 
 from .. import settings as filer_settings
@@ -11,8 +12,9 @@
 from . import views
 
 
-NO_FOLDER_ERROR = "Can't find folder to upload. Please refresh and try again"
-NO_PERMISSIONS_FOR_FOLDER = (
+NO_PERMISSIONS = _("You do not have permission to upload files.")
+NO_FOLDER_ERROR = _("Can't find folder to upload. Please refresh and try again")
+NO_PERMISSIONS_FOR_FOLDER = _(
     "Can't use this folder, Permission Denied. Please select another folder."
 )
 
@@ -68,17 +70,24 @@ def ajax_upload(request, folder_id=None):
     """
     Receives an upload from the uploader. Receives only one file at a time.
     """
+
+    if not request.user.has_perm("filer.add_file"):
+        messages.error(request, NO_PERMISSIONS)
+        return JsonResponse({'error': NO_PERMISSIONS})
+
     if folder_id:
         try:
             # Get folder
             folder = Folder.objects.get(pk=folder_id)
         except Folder.DoesNotExist:
+            messages.error(request, NO_FOLDER_ERROR)
             return JsonResponse({'error': NO_FOLDER_ERROR})
     else:
         folder = Folder.objects.filter(pk=request.session.get('filer_last_folder_id', 0)).first()
 
     # check permissions
     if folder and not folder.has_add_children_permission(request):
+        messages.error(request, NO_PERMISSIONS_FOR_FOLDER)
         return JsonResponse({'error': NO_PERMISSIONS_FOR_FOLDER})
 
     if len(request.FILES) == 1:
diff --git a/filer/admin/folderadmin.py b/filer/admin/folderadmin.py
@@ -233,6 +233,8 @@ def get_urls(self):
 
     # custom views
     def directory_listing(self, request, folder_id=None, viewtype=None):
+        if not request.user.has_perm("filer.can_use_directory_listing"):
+            raise PermissionDenied()
         clipboard = tools.get_user_clipboard(request.user)
         if viewtype == 'images_with_missing_data':
             folder = ImagesWithMissingData()
diff --git a/filer/models/filemodels.py b/filer/models/filemodels.py
@@ -300,13 +300,13 @@ def __lt__(self, other):
         return self.label.lower() < other.label.lower()
 
     def has_edit_permission(self, request):
-        return self.has_generic_permission(request, 'edit')
+        return request.user.has_perm("filer.change_file") and self.has_generic_permission(request, 'edit')
 
     def has_read_permission(self, request):
         return self.has_generic_permission(request, 'read')
 
     def has_add_children_permission(self, request):
-        return self.has_generic_permission(request, 'add_children')
+        return request.user.has_perm("filer.add_file") and self.has_generic_permission(request, 'add_children')
 
     def has_generic_permission(self, request, permission_type):
         """
diff --git a/filer/models/foldermodels.py b/filer/models/foldermodels.py
@@ -200,13 +200,13 @@ def quoted_logical_path(self):
         return urlquote(self.pretty_logical_path)
 
     def has_edit_permission(self, request):
-        return self.has_generic_permission(request, 'edit')
+        return request.user.has_perm("filer.change_folder") and self.has_generic_permission(request, 'edit')
 
     def has_read_permission(self, request):
         return self.has_generic_permission(request, 'read')
 
     def has_add_children_permission(self, request):
-        return self.has_generic_permission(request, 'add_children')
+        return request.user.has_perm("filer.change_folder") and self.has_generic_permission(request, 'add_children')
 
     def has_generic_permission(self, request, permission_type):
         """
diff --git a/tests/requirements/django-2.2.txt b/tests/requirements/django-2.2.txt
@@ -3,3 +3,4 @@
 django>=2.2,<3.0
 django_polymorphic>=2.0,<2.1
 django-app-helper
+easy-thumbnails[svg]<2.10
diff --git a/tests/requirements/django-3.0.txt b/tests/requirements/django-3.0.txt
@@ -3,3 +3,4 @@
 django>=3.0,<3.1
 django_polymorphic>=2.1,<2.2
 django-app-helper
+easy-thumbnails[svg]<2.10
diff --git a/tests/requirements/django-3.1.txt b/tests/requirements/django-3.1.txt
@@ -3,3 +3,4 @@
 django>=3.1,<3.2
 django_polymorphic>=2,<3.1
 django-app-helper
+easy-thumbnails[svg]<2.10
diff --git a/tests/requirements/django-3.2.txt b/tests/requirements/django-3.2.txt
@@ -3,3 +3,4 @@
 django>=3.2,<4
 django_polymorphic>=2,<3.1
 django-app-helper
+easy-thumbnails[svg]<2.10
diff --git a/tests/requirements/django-4.0.txt b/tests/requirements/django-4.0.txt
@@ -3,3 +3,4 @@
 django>=4.0,<4.1
 django_polymorphic>=3.1
 https://github.com/jrief/django-app-helper/archive/refs/heads/develop.zip
+easy-thumbnails[svg]<2.10
diff --git a/tests/requirements/django-4.1.txt b/tests/requirements/django-4.1.txt
@@ -3,3 +3,4 @@
 django>=4.1,<4.2
 django_polymorphic>=3.1
 https://github.com/jrief/django-app-helper/archive/refs/heads/develop.zip
+easy-thumbnails[svg]<2.10
diff --git a/tests/test_admin.py b/tests/test_admin.py
diff --git a/tests/test_dump.py b/tests/test_dump.py
diff --git a/tests/test_permissions.py b/tests/test_permissions.py
diff --git a/tests/test_tools.py b/tests/test_tools.py
diff --git a/tox.ini b/tox.ini
