From c08d58c05b6cb459aa0d30151a2d630bbceb3f25 Mon Sep 17 00:00:00 2001
From: Dimas Ananda <traperwaze@gmail.com>
Date: Fri, 4 Nov 2022 09:20:53 +0700
Subject: [PATCH] make user without download permission unable to get resource
 that is file

---
 http/resource.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/http/resource.go b/http/resource.go
index 3a12538a..bacb3f90 100644
--- a/http/resource.go
+++ b/http/resource.go
@@ -33,6 +33,10 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d
 		return errToStatus(err), err
 	}
 
+	if !file.IsDir && !d.user.Perm.Download {
+		return 0, os.ErrPermission
+	}
+
 	if file.IsDir {
 		file.Listing.Sorting = d.user.Sorting
 		file.Listing.ApplySort()
@@ -98,7 +102,7 @@ func resourcePostHandler(fileCache FileCache) handleFunc {
 
 		// Directories creation on POST.
 		if strings.HasSuffix(r.URL.Path, "/") {
-			err := d.user.Fs.MkdirAll(r.URL.Path, 0775) //nolint:gomnd
+			err := d.user.Fs.MkdirAll(r.URL.Path, 0o775) //nolint:gomnd
 			return errToStatus(err), err
 		}
 
@@ -256,12 +260,12 @@ func addVersionSuffix(source string, fs afero.Fs) string {
 
 func writeFile(fs afero.Fs, dst string, in io.Reader) (os.FileInfo, error) {
 	dir, _ := path.Split(dst)
-	err := fs.MkdirAll(dir, 0775) //nolint:gomnd
+	err := fs.MkdirAll(dir, 0o775) //nolint:gomnd
 	if err != nil {
 		return nil, err
 	}
 
-	file, err := fs.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0775) //nolint:gomnd
+	file, err := fs.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o775) //nolint:gomnd
 	if err != nil {
 		return nil, err
 	}