Fix file deletion

Registered users could delete files uploaded by anonymous users.
koldakov · Mar 21, 2023 · dd6eacd · dd6eacd
1 parent d145603
commit dd6eacd
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.0.30] - 2023-03-22
+
+### Fixed
+
+- Registered users can delete files uploaded by anonymous users.
+
 ## [0.0.29] - 2023-03-21
 
 ### Added

diff --git a/accounts/models.py b/accounts/models.py
@@ -526,6 +526,12 @@ def get_user_file_by_url_path(user: User, url_path):
 
         raise PermissionDenied()
 
+    def has_delete_permission(self, user: User):
+        if self.owner is None:
+            return False
+
+        return self.owner == user
+
 
 def generate_fake_file(original_name, owner: User = None, is_private: bool = True):
     file = File()

diff --git a/accounts/templates/accounts/includes/file.html b/accounts/templates/accounts/includes/file.html
@@ -1,4 +1,4 @@
-{% load i18n %}
+{% load accounts_extras i18n %}
 
 <div class="col">
   <div class="card h-100">
@@ -40,7 +40,8 @@ <h5 class="card-title">
             {% endif %}
           </form>
         </li>
-        {% if not request.user.is_anonymous %}
+        {% user_has_file_delete_permission file request.user as does_user_have_file_delete_permission %}
+        {% if does_user_have_file_delete_permission %}
           <li class="list-group-item">
             <form
               action="{% url 'accounts:file' url_path=file.url_path %}"

diff --git a/accounts/templatetags/accounts_extras.py b/accounts/templatetags/accounts_extras.py
@@ -1,10 +1,15 @@
 from django import template
 
-from accounts.models import ProductBase, User
+from accounts.models import File, ProductBase, User
 
 register = template.Library()
 
 
 @register.simple_tag
 def get_product_internal_info(product: ProductBase, user: User):
     return product.get_internal_info(user)
+
+
+@register.simple_tag
+def user_has_file_delete_permission(file: File, user: User):
+    return file.has_delete_permission(user)
diff --git a/accounts/views.py b/accounts/views.py
@@ -472,11 +472,15 @@ def get(self, request, *args, **kwargs):
         if url_path is None or not request.user.is_authenticated:
             raise PermissionDenied()
 
+        file = File.get_user_file_by_url_path(request.user, url_path)
+        if not file.has_delete_permission(request.user):
+            raise PermissionDenied()
+
         return render(
             request=request,
             template_name=self.template_name,
             context={
-                'file': File.get_user_file_by_url_path(request.user, url_path),
+                'file': file,
             }
         )
 
@@ -486,8 +490,10 @@ def post(self, request, *args, **kwargs):
 
         url_path = kwargs.get('url_path')
         file = File.get_user_file_by_url_path(request.user, url_path)
-        file_name = file.original_full_name
+        if not file.has_delete_permission(request.user):
+            raise PermissionDenied()
 
+        file_name = file.original_full_name
         file.delete()
         messages.success(request, _('File "%s" deleted' % file_name))
         return redirect(reverse('accounts:index'))