feat: add Read/Write Permission

2023-07-15 20:08:30 +00:00 · 2023-07-15 20:08:30 +00:00 · b6cce0e0e2
commit b6cce0e0e2
parent 6744cd47ce
8 changed files with 135 additions and 22 deletions
--- a/auth/hook.go
+++ b/auth/hook.go
@ -11,6 +11,7 @@ import (

 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/files"
+	"github.com/filebrowser/filebrowser/v2/rules"
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/users"
 )
@ -31,6 +32,7 @@ type HookAuth struct {
 	Cred     hookCred           `json:"-"`
 	Fields   hookFields         `json:"-"`
 	Command  string             `json:"command"`
+	Rules    []rules.Rule       `json:"rules"`
 }

 // Auth authenticates the user via a json in content body.
@ -228,6 +230,7 @@ func (a *HookAuth) GetUser(d *users.User) *users.User {
 			Asc: a.Fields.GetBoolean("user.sorting.asc", d.Sorting.Asc),
 			By:  a.Fields.GetString("user.sorting.by", d.Sorting.By),
 		},
+		Rules:        a.Fields.GetRules("user.perm.rule", d.Rules),
 		Commands:     a.Fields.GetArray("user.commands", d.Commands),
 		HideDotfiles: a.Fields.GetBoolean("user.hideDotfiles", d.HideDotfiles),
 		Perm:         perms,
@ -261,6 +264,7 @@ var validHookFields = []string{
 	"user.perm.delete",
 	"user.perm.share",
 	"user.perm.download",
+	"user.perm.rule",
 }

 // IsValid checks if the provided field is on the valid fields list
@ -300,3 +304,20 @@ func (hf *hookFields) GetArray(k string, dv []string) []string {
 	}
 	return dv
 }
+
+func (hf *hookFields) GetRules(k string, dv []rules.Rule) []rules.Rule {
+	val, ok := hf.Values[k]
+	if !ok {
+		return dv
+	}
+	var dvv []rules.Rule
+	for _, ruleString := range strings.Split(val, ";") {
+		var rule rules.Rule
+		err := json.Unmarshal([]byte(ruleString), &rule)
+		if err != nil {
+			return dv
+		}
+		dvv = append(dvv, rule)
+	}
+	return dvv
+}
--- a/cmd/config_init.go
+++ b/cmd/config_init.go
@ -37,7 +37,7 @@ override the options.`,
 			Branding: settings.Branding{
 				Name:                  mustGetString(flags, "branding.name"),
 				DisableExternal:       mustGetBool(flags, "branding.disableExternal"),
-				DisableUsedPercentage: mustGetBool(flags, "branding.DisableUsedPercentage"),
+				DisableUsedPercentage: mustGetBool(flags, "branding.disableUsedPercentage"),
 				Files:                 mustGetString(flags, "branding.files"),
 			},
 		}
--- a/files/file.go
+++ b/files/file.go
@ -58,7 +58,7 @@ type FileOptions struct {
 // object will be automatically filled depending on if it is a directory
 // or a file. If it's a video file, it will also detect any subtitles.
 func NewFileInfo(opts FileOptions) (*FileInfo, error) {
-	if !opts.Checker.Check(opts.Path) {
+	if !opts.Checker.CheckReadPerm(opts.Path) { // display folder/file list
 		return nil, os.ErrPermission
 	}

@ -319,7 +319,7 @@ func (i *FileInfo) readListing(checker rules.Checker, readHeader bool) error {
 		name := f.Name()
 		fPath := path.Join(i.Path, name)

-		if !checker.Check(fPath) {
+		if !checker.CheckReadPerm(fPath) {
 			continue
 		}

--- a/frontend/src/components/settings/Rules.vue
+++ b/frontend/src/components/settings/Rules.vue
@ -4,20 +4,15 @@
      <input type="checkbox" v-model="rule.regex" /><label>Regex</label>
      <input type="checkbox" v-model="rule.allow" /><label>Allow</label>

-      <input
-        @keypress.enter.prevent
-        type="text"
-        v-if="rule.regex"
-        v-model="rule.regexp.raw"
-        :placeholder="$t('settings.insertRegex')"
-      />
-      <input
-        @keypress.enter.prevent
-        type="text"
-        v-else
-        v-model="rule.path"
-        :placeholder="$t('settings.insertPath')"
-      />
+      <input @keypress.enter.prevent type="text" style="margin-right: 8px;" v-if="rule.regex" v-model="rule.regexp.raw"
+        :placeholder="$t('settings.insertRegex')" />
+      <input @keypress.enter.prevent type="text" style="margin-right: 8px;" v-else v-model="rule.path"
+        :placeholder="$t('settings.insertPath')" />
+
+      <input type="checkbox" :checked="rule.perm && rule.perm.includes('read')"
+        @input="changePermOfRule('read', index)" /><label>Read</label>
+      <input type="checkbox" :checked="rule.perm && rule.perm.includes('write')"
+        @input="changePermOfRule('write', index)" /><label>Write</label>

      <button class="button button--red" @click="remove($event, index)">
        -
@ -37,6 +32,12 @@ export default {
  name: "rules-textarea",
  props: ["rules"],
  methods: {
+    changePermOfRule(ruleName, index) {
+      const rule = this.rules[index];
+      const isRead = ruleName === "read" ? rule.perm.includes("read") : !rule.perm.includes("read");
+      const isWrite = ruleName === "write" ? rule.perm.includes("write") : !rule.perm.includes("write");
+      this.rules[index].perm = `${!isRead ? "read" : ""}${!isRead && !isWrite ? "|" : ""}${!isWrite ? "write" : ""}`
+    },
    remove(event, index) {
      event.preventDefault();
      let rules = [...this.rules];
--- a/http/data.go
+++ b/http/data.go
@ -4,6 +4,7 @@ import (
 	"log"
 	"net/http"
 	"strconv"
+	"strings"

 	"github.com/tomasen/realip"

@ -47,6 +48,64 @@ func (d *data) Check(path string) bool {
 	return allow
 }

+func (d *data) CheckReadPerm(path string) bool {
+	if d.user.HideDotfiles && rules.MatchHidden(path) {
+		return false
+	}
+
+	read := true
+	for _, rule := range d.settings.Rules {
+		if rule.Matches(path) {
+			if !rule.Allow {
+				read = false
+			} else {
+				read = strings.Contains(rule.Perm, "read")
+			}
+		}
+	}
+
+	for _, rule := range d.user.Rules {
+		if rule.Matches(path) {
+			if !rule.Allow {
+				read = false
+			} else {
+				read = strings.Contains(rule.Perm, "read")
+			}
+		}
+	}
+
+	return read
+}
+
+func (d *data) CheckWritePerm(path string) bool {
+	if d.user.HideDotfiles && rules.MatchHidden(path) {
+		return false
+	}
+
+	write := true
+	for _, rule := range d.settings.Rules {
+		if rule.Matches(path) {
+			if !rule.Allow {
+				write = false
+			} else {
+				write = strings.Contains(rule.Perm, "write")
+			}
+		}
+	}
+
+	for _, rule := range d.user.Rules {
+		if rule.Matches(path) {
+			if !rule.Allow {
+				write = false
+			} else {
+				write = strings.Contains(rule.Perm, "write")
+			}
+		}
+	}
+
+	return write
+}
+
 func handle(fn handleFunc, prefix string, store *storage.Storage, server *settings.Server) http.Handler {
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
--- a/http/resource.go
+++ b/http/resource.go
@ -56,7 +56,7 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d

 func resourceDeleteHandler(fileCache FileCache) handleFunc {
 	return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
-		if r.URL.Path == "/" || !d.user.Perm.Delete {
+		if r.URL.Path == "/" || !d.user.Perm.Delete || !d.CheckWritePerm(r.URL.Path) {
 			return http.StatusForbidden, nil
 		}

@ -92,7 +92,7 @@ func resourceDeleteHandler(fileCache FileCache) handleFunc {

 func resourcePostHandler(fileCache FileCache) handleFunc {
 	return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
-		if !d.user.Perm.Create || !d.Check(r.URL.Path) {
+		if !d.user.Perm.Create || !d.CheckWritePerm(r.URL.Path) {
 			return http.StatusForbidden, nil
 		}

@ -146,7 +146,7 @@ func resourcePostHandler(fileCache FileCache) handleFunc {
 }

 var resourcePutHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
-	if !d.user.Perm.Modify || !d.Check(r.URL.Path) {
+	if !d.user.Perm.Modify || !d.CheckWritePerm(r.URL.Path) {
 		return http.StatusForbidden, nil
 	}

@ -183,9 +183,20 @@ func resourcePatchHandler(fileCache FileCache) handleFunc {
 		dst := r.URL.Query().Get("destination")
 		action := r.URL.Query().Get("action")
 		dst, err := url.QueryUnescape(dst)
-		if !d.Check(src) || !d.Check(dst) {
+		switch action {
+		case "rename": // rename and move action
+			if !d.CheckWritePerm(src) || !d.CheckWritePerm(dst) {
 				return http.StatusForbidden, nil
 			}
+			break
+		case "copy": // copy action
+			if !d.CheckReadPerm(src) || !d.CheckWritePerm(dst) {
+				return http.StatusForbidden, nil
+			}
+			break
+		default:
+			break
+		}
 		if err != nil {
 			return errToStatus(err), err
 		}
--- a/http/share.go
+++ b/http/share.go
@ -56,6 +56,10 @@ var shareListHandler = withPermShare(func(w http.ResponseWriter, r *http.Request
 })

 var shareGetsHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if !d.CheckReadPerm(r.URL.Path) {
+		return http.StatusForbidden, nil
+	}
+
 	s, err := d.store.Share.Gets(r.URL.Path, d.user.ID)
 	if err == errors.ErrNotExist {
 		return renderJSON(w, r, []*share.Link{})
@ -69,6 +73,10 @@ var shareGetsHandler = withPermShare(func(w http.ResponseWriter, r *http.Request
 })

 var shareDeleteHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if !d.CheckReadPerm(r.URL.Path) {
+		return http.StatusForbidden, nil
+	}
+
 	hash := strings.TrimSuffix(r.URL.Path, "/")
 	hash = strings.TrimPrefix(hash, "/")

@ -81,6 +89,10 @@ var shareDeleteHandler = withPermShare(func(w http.ResponseWriter, r *http.Reque
 })

 var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if !d.CheckReadPerm(r.URL.Path) {
+		return http.StatusForbidden, nil
+	}
+
 	var s *share.Link
 	var body share.CreateBody
 	if r.Body != nil {
--- a/rules/rules.go
+++ b/rules/rules.go
@ -9,6 +9,8 @@ import (
 // Checker is a Rules checker.
 type Checker interface {
 	Check(path string) bool
+	CheckReadPerm(path string) bool
+	CheckWritePerm(path string) bool
 }

 // Rule is a allow/disallow rule.
@ -17,6 +19,13 @@ type Rule struct {
 	Allow  bool    `json:"allow"`
 	Path   string  `json:"path"`
 	Regexp *Regexp `json:"regexp"`
+	Perm   string  `json:"perm"`
+}
+
+// Perm is a read/write permission.
+type Perms struct {
+	Read  bool `json:"read"`
+	Write bool `json:"write"`
 }

 // MatchHidden matches paths with a basename