Files: fix security
This commit is contained in:
parent
9ed0b00594
commit
a1ee600ae6
@ -1166,7 +1166,7 @@ public class FileStorageService<T> //: IFileStorageService
|
||||
{
|
||||
var fileDao = GetFileDao();
|
||||
var file = await fileDao.GetFileAsync(fileId);
|
||||
ErrorIf(!await _fileSecurity.CanReadAsync(file), FilesCommonResource.ErrorMassage_SecurityException_ReadFile);
|
||||
ErrorIf(!await _fileSecurity.CanReadHistoryAsync(file), FilesCommonResource.ErrorMassage_SecurityException_ReadFile);
|
||||
|
||||
await foreach (var r in fileDao.GetFileHistoryAsync(fileId))
|
||||
{
|
||||
|
@ -98,6 +98,16 @@ public class FileSecurity : IFileSecurity
|
||||
return CanAsync(entry, userId, FilesSecurityActions.Read);
|
||||
}
|
||||
|
||||
public Task<bool> CanReadHistoryAsync<T>(FileEntry<T> entry)
|
||||
{
|
||||
return CanAsync(entry, _authContext.CurrentAccount.ID, FilesSecurityActions.ReadHistory);
|
||||
}
|
||||
|
||||
public Task<bool> CanReadHistoryAsync<T>(FileEntry<T> entry, Guid userId)
|
||||
{
|
||||
return CanAsync(entry, userId, FilesSecurityActions.ReadHistory);
|
||||
}
|
||||
|
||||
public Task<bool> CanCommentAsync<T>(FileEntry<T> entry, Guid userId)
|
||||
{
|
||||
return CanAsync(entry, userId, FilesSecurityActions.Comment);
|
||||
@ -766,11 +776,11 @@ public class FileSecurity : IFileSecurity
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else if (action == FilesSecurityActions.Comment && (e.Access == FileShare.Comment || e.Access == FileShare.Review || e.Access == FileShare.CustomFilter || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
|
||||
else if (action == FilesSecurityActions.Comment && (e.Access == FileShare.Comment || e.Access == FileShare.Review || e.Access == FileShare.CustomFilter || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing || e.Access == FileShare.FillForms))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else if (action == FilesSecurityActions.FillForms && (e.Access == FileShare.FillForms || e.Access == FileShare.Review || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
|
||||
else if (action == FilesSecurityActions.FillForms && (e.Access == FileShare.FillForms || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
@ -798,6 +808,10 @@ public class FileSecurity : IFileSecurity
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else if (action == FilesSecurityActions.ReadHistory && (e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else if (e.Access != FileShare.Restrict && e.CreateBy == userId && (e.FileEntryType == FileEntryType.File || folder.FolderType != FolderType.COMMON))
|
||||
{
|
||||
return true;
|
||||
@ -1519,6 +1533,7 @@ public class FileSecurity : IFileSecurity
|
||||
Delete,
|
||||
CustomFilter,
|
||||
RoomEdit,
|
||||
Rename
|
||||
Rename,
|
||||
ReadHistory
|
||||
}
|
||||
}
|
||||
|
@ -128,14 +128,6 @@ public class DocumentServiceHelper
|
||||
|
||||
var rightModifyFilter = rightToEdit;
|
||||
|
||||
if (linkRight == FileShare.Restrict && _userManager.IsVisitor(_authContext.CurrentAccount.ID))
|
||||
{
|
||||
rightToEdit = false;
|
||||
rightToReview = false;
|
||||
rightToFillForms = false;
|
||||
rightToComment = false;
|
||||
}
|
||||
|
||||
rightToEdit = rightToEdit
|
||||
&& (linkRight == FileShare.ReadWrite || linkRight == FileShare.CustomFilter
|
||||
|| await _fileSecurity.CanEditAsync(file) || await _fileSecurity.CanCustomFilterEditAsync(file));
|
||||
|
@ -1482,8 +1482,7 @@ public class EntryManager
|
||||
&& !await _fileSecurity.CanCustomFilterEditAsync(file, userId)
|
||||
&& !await _fileSecurity.CanReviewAsync(file, userId)
|
||||
&& !await _fileSecurity.CanFillFormsAsync(file, userId)
|
||||
&& !await _fileSecurity.CanCommentAsync(file, userId)
|
||||
|| _userManager.IsVisitor(userId)))
|
||||
&& !await _fileSecurity.CanCommentAsync(file, userId)))
|
||||
{
|
||||
throw new SecurityException(FilesCommonResource.ErrorMassage_SecurityException_EditFile);
|
||||
}
|
||||
|
@ -481,10 +481,6 @@ public class FileSharing
|
||||
continue;
|
||||
}
|
||||
}
|
||||
else if (_userManager.IsVisitor(u) && new FileShareRecord.ShareComparer().Compare(FileShare.Read, share) > 0)
|
||||
{
|
||||
share = FileShare.Read;
|
||||
}
|
||||
|
||||
var w = new AceWrapper
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user