diff --git a/file/files.go b/file/files.go index 352c7ac..f847382 100644 --- a/file/files.go +++ b/file/files.go @@ -74,16 +74,16 @@ func initAPINode() { // The Go API source code package also as a child node, // so that users can easily view the Go API source code in file tree. func GetFilesHandler(w http.ResponseWriter, r *http.Request) { - data := map[string]interface{}{"succ": true} - defer util.RetGzJSON(w, r, data) - - session, _ := session.HTTPSession.Get(r, "wide-session") - if session.IsNew { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { http.Error(w, "Forbidden", http.StatusForbidden) return } - username := session.Values["username"].(string) + username := httpSession.Values["username"].(string) + + data := map[string]interface{}{"succ": true} + defer util.RetGzJSON(w, r, data) userWorkspace := conf.GetUserWorkspace(username) workspaces := filepath.SplitList(userWorkspace) @@ -123,9 +123,23 @@ func GetFilesHandler(w http.ResponseWriter, r *http.Request) { // RefreshDirectoryHandler handles request of refresh a directory of file tree. func RefreshDirectoryHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + username := httpSession.Values["username"].(string) + r.ParseForm() path := r.FormValue("path") + if !authWorkspace(username, path) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + node := Node{Name: "root", Path: path, IconSkin: "ico-ztree-dir ", Type: "d", Children: []*Node{}} walk(path, &node, true, true, false) @@ -142,6 +156,14 @@ func RefreshDirectoryHandler(w http.ResponseWriter, r *http.Request) { // GetFileHandler handles request of opening file by editor. func GetFileHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + username := httpSession.Values["username"].(string) + data := map[string]interface{}{"succ": true} defer util.RetJSON(w, r, data) @@ -156,6 +178,12 @@ func GetFileHandler(w http.ResponseWriter, r *http.Request) { path := args["path"].(string) + if !authWorkspace(username, path) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + size := util.File.GetFileSize(path) if size > 5242880 { // 5M data["succ"] = false @@ -201,6 +229,14 @@ func GetFileHandler(w http.ResponseWriter, r *http.Request) { // SaveFileHandler handles request of saving file. func SaveFileHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + username := httpSession.Values["username"].(string) + data := map[string]interface{}{"succ": true} defer util.RetJSON(w, r, data) @@ -216,6 +252,12 @@ func SaveFileHandler(w http.ResponseWriter, r *http.Request) { filePath := args["file"].(string) sid := args["sid"].(string) + if !authWorkspace(username, filePath) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + fout, err := os.Create(filePath) if nil != err { @@ -243,6 +285,14 @@ func SaveFileHandler(w http.ResponseWriter, r *http.Request) { // NewFileHandler handles request of creating file or directory. func NewFileHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + username := httpSession.Values["username"].(string) + data := map[string]interface{}{"succ": true} defer util.RetJSON(w, r, data) @@ -256,6 +306,13 @@ func NewFileHandler(w http.ResponseWriter, r *http.Request) { } path := args["path"].(string) + + if !authWorkspace(username, path) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + fileType := args["fileType"].(string) sid := args["sid"].(string) @@ -280,6 +337,14 @@ func NewFileHandler(w http.ResponseWriter, r *http.Request) { // RemoveFileHandler handles request of removing file or directory. func RemoveFileHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + username := httpSession.Values["username"].(string) + data := map[string]interface{}{"succ": true} defer util.RetJSON(w, r, data) @@ -293,6 +358,12 @@ func RemoveFileHandler(w http.ResponseWriter, r *http.Request) { } path := args["path"].(string) + if !authWorkspace(username, path) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + sid := args["sid"].(string) wSession := session.WideSessions.Get(sid) @@ -311,6 +382,14 @@ func RemoveFileHandler(w http.ResponseWriter, r *http.Request) { // RenameFileHandler handles request of renaming file or directory. func RenameFileHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + username := httpSession.Values["username"].(string) + data := map[string]interface{}{"succ": true} defer util.RetJSON(w, r, data) @@ -324,7 +403,19 @@ func RenameFileHandler(w http.ResponseWriter, r *http.Request) { } oldPath := args["oldPath"].(string) + if !authWorkspace(username, oldPath) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + newPath := args["newPath"].(string) + if !authWorkspace(username, newPath) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + sid := args["sid"].(string) wSession := session.WideSessions.Get(sid) @@ -355,6 +446,14 @@ func (f foundPaths) Less(i, j int) bool { return f[i].score > f[j].score } // FindHandler handles request of find files under the specified directory with the specified filename pattern. func FindHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + username := httpSession.Values["username"].(string) + data := map[string]interface{}{"succ": true} defer util.RetJSON(w, r, data) @@ -367,15 +466,13 @@ func FindHandler(w http.ResponseWriter, r *http.Request) { } path := args["path"].(string) // path of selected file in file tree - name := args["name"].(string) - - session, _ := session.HTTPSession.Get(r, "wide-session") - if session.IsNew { + if !authWorkspace(username, path) { http.Error(w, "Forbidden", http.StatusForbidden) return } - username := session.Values["username"].(string) + + name := args["name"].(string) userWorkspace := conf.GetUserWorkspace(username) workspaces := filepath.SplitList(userWorkspace) @@ -403,6 +500,13 @@ func FindHandler(w http.ResponseWriter, r *http.Request) { // SearchTextHandler handles request of searching files under the specified directory with the specified keyword. func SearchTextHandler(w http.ResponseWriter, r *http.Request) { + httpSession, _ := session.HTTPSession.Get(r, "wide-session") + if httpSession.IsNew { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + data := map[string]interface{}{"succ": true} defer util.RetJSON(w, r, data) @@ -740,3 +844,16 @@ func searchInFile(path string, text string) []*Snippet { return ret } + +func authWorkspace(username, path string) bool { + userWorkspace := conf.GetUserWorkspace(username) + workspaces := filepath.SplitList(userWorkspace) + + for _, workspace := range workspaces { + if strings.HasPrefix(path, workspace) { + return true + } + } + + return false +}