.

2015-04-29 18:04:30 +08:00 · 2015-04-29 18:04:30 +08:00 · e3b5fbbfa8
parent 3ee68aa6ce
commit e3b5fbbfa8
1 changed files with 128 additions and 11 deletions
--- a/file/files.go
+++ b/file/files.go
@ -74,16 +74,16 @@ func initAPINode() {
 // The Go API source code package also as a child node,
 // so that users can easily view the Go API source code in file tree.
 func GetFilesHandler(w http.ResponseWriter, r *http.Request) {
-	data := map[string]interface{}{"succ": true}
-	defer util.RetGzJSON(w, r, data)
-
-	session, _ := session.HTTPSession.Get(r, "wide-session")
-	if session.IsNew {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
 		http.Error(w, "Forbidden", http.StatusForbidden)

 		return
 	}
-	username := session.Values["username"].(string)
+	username := httpSession.Values["username"].(string)
+
+	data := map[string]interface{}{"succ": true}
+	defer util.RetGzJSON(w, r, data)

 	userWorkspace := conf.GetUserWorkspace(username)
 	workspaces := filepath.SplitList(userWorkspace)
@ -123,9 +123,23 @@ func GetFilesHandler(w http.ResponseWriter, r *http.Request) {

 // RefreshDirectoryHandler handles request of refresh a directory of file tree.
 func RefreshDirectoryHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+	username := httpSession.Values["username"].(string)
+
 	r.ParseForm()
 	path := r.FormValue("path")

+	if !authWorkspace(username, path) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	node := Node{Name: "root", Path: path, IconSkin: "ico-ztree-dir ", Type: "d", Children: []*Node{}}

 	walk(path, &node, true, true, false)
@ -142,6 +156,14 @@ func RefreshDirectoryHandler(w http.ResponseWriter, r *http.Request) {

 // GetFileHandler handles request of opening file by editor.
 func GetFileHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+	username := httpSession.Values["username"].(string)
+
 	data := map[string]interface{}{"succ": true}
 	defer util.RetJSON(w, r, data)

@ -156,6 +178,12 @@ func GetFileHandler(w http.ResponseWriter, r *http.Request) {

 	path := args["path"].(string)

+	if !authWorkspace(username, path) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	size := util.File.GetFileSize(path)
 	if size > 5242880 { // 5M
 		data["succ"] = false
@ -201,6 +229,14 @@ func GetFileHandler(w http.ResponseWriter, r *http.Request) {

 // SaveFileHandler handles request of saving file.
 func SaveFileHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+	username := httpSession.Values["username"].(string)
+
 	data := map[string]interface{}{"succ": true}
 	defer util.RetJSON(w, r, data)

@ -216,6 +252,12 @@ func SaveFileHandler(w http.ResponseWriter, r *http.Request) {
 	filePath := args["file"].(string)
 	sid := args["sid"].(string)

+	if !authWorkspace(username, filePath) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	fout, err := os.Create(filePath)

 	if nil != err {
@ -243,6 +285,14 @@ func SaveFileHandler(w http.ResponseWriter, r *http.Request) {

 // NewFileHandler handles request of creating file or directory.
 func NewFileHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+	username := httpSession.Values["username"].(string)
+
 	data := map[string]interface{}{"succ": true}
 	defer util.RetJSON(w, r, data)

@ -256,6 +306,13 @@ func NewFileHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	path := args["path"].(string)
+
+	if !authWorkspace(username, path) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	fileType := args["fileType"].(string)
 	sid := args["sid"].(string)

@ -280,6 +337,14 @@ func NewFileHandler(w http.ResponseWriter, r *http.Request) {

 // RemoveFileHandler handles request of removing file or directory.
 func RemoveFileHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+	username := httpSession.Values["username"].(string)
+
 	data := map[string]interface{}{"succ": true}
 	defer util.RetJSON(w, r, data)

@ -293,6 +358,12 @@ func RemoveFileHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	path := args["path"].(string)
+	if !authWorkspace(username, path) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	sid := args["sid"].(string)

 	wSession := session.WideSessions.Get(sid)
@ -311,6 +382,14 @@ func RemoveFileHandler(w http.ResponseWriter, r *http.Request) {

 // RenameFileHandler handles request of renaming file or directory.
 func RenameFileHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+	username := httpSession.Values["username"].(string)
+
 	data := map[string]interface{}{"succ": true}
 	defer util.RetJSON(w, r, data)

@ -324,7 +403,19 @@ func RenameFileHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	oldPath := args["oldPath"].(string)
+	if !authWorkspace(username, oldPath) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	newPath := args["newPath"].(string)
+	if !authWorkspace(username, newPath) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	sid := args["sid"].(string)

 	wSession := session.WideSessions.Get(sid)
@ -355,6 +446,14 @@ func (f foundPaths) Less(i, j int) bool { return f[i].score > f[j].score }

 // FindHandler handles request of find files under the specified directory with the specified filename pattern.
 func FindHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+	username := httpSession.Values["username"].(string)
+
 	data := map[string]interface{}{"succ": true}
 	defer util.RetJSON(w, r, data)

@ -367,15 +466,13 @@ func FindHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	path := args["path"].(string) // path of selected file in file tree
-	name := args["name"].(string)
-
-	session, _ := session.HTTPSession.Get(r, "wide-session")
-	if session.IsNew {
+	if !authWorkspace(username, path) {
 		http.Error(w, "Forbidden", http.StatusForbidden)

 		return
 	}
-	username := session.Values["username"].(string)
+
+	name := args["name"].(string)

 	userWorkspace := conf.GetUserWorkspace(username)
 	workspaces := filepath.SplitList(userWorkspace)
@ -403,6 +500,13 @@ func FindHandler(w http.ResponseWriter, r *http.Request) {

 // SearchTextHandler handles request of searching files under the specified directory with the specified keyword.
 func SearchTextHandler(w http.ResponseWriter, r *http.Request) {
+	httpSession, _ := session.HTTPSession.Get(r, "wide-session")
+	if httpSession.IsNew {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+
+		return
+	}
+
 	data := map[string]interface{}{"succ": true}
 	defer util.RetJSON(w, r, data)

@ -740,3 +844,16 @@ func searchInFile(path string, text string) []*Snippet {

 	return ret
 }
+
+func authWorkspace(username, path string) bool {
+	userWorkspace := conf.GetUserWorkspace(username)
+	workspaces := filepath.SplitList(userWorkspace)
+
+	for _, workspace := range workspaces {
+		if strings.HasPrefix(path, workspace) {
+			return true
+		}
+	}
+
+	return false
+}