indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Ensure that permissions are enforced when removing shared items

merge-requests/30/head
Bob Mottram 2021-07-28 21:41:57 +01:00
parent b5fc769af3
commit 7b0c9bc03d
1 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
daemon.py
View File

@ -3344,7 +3344,7 @@ class PubServer(BaseHTTPRequestHandler):
self.server.POSTbusy = False self.server.POSTbusy = False
return return
if '&submitYes=' in removeShareConfirmParams: if '&submitYes=' in removeShareConfirmParams and authorized:
removeShareConfirmParams = \ removeShareConfirmParams = \
removeShareConfirmParams.replace('+', ' ').strip() removeShareConfirmParams.replace('+', ' ').strip()
removeShareConfirmParams = \ removeShareConfirmParams = \
@ -3352,6 +3352,13 @@ class PubServer(BaseHTTPRequestHandler):
shareActor = removeShareConfirmParams.split('actor=')[1] shareActor = removeShareConfirmParams.split('actor=')[1]
if '&' in shareActor: if '&' in shareActor:
shareActor = shareActor.split('&')[0] shareActor = shareActor.split('&')[0]
adminNickname = getConfigParam(baseDir, 'admin')
adminActor = \
httpPrefix + '://' + domainFull + '/users' + adminNickname
actor = originPathStr
actorNickname = getNicknameFromActor(actor)
if actor == shareActor or actor == adminActor or \
isModerator(baseDir, actorNickname):
itemID = removeShareConfirmParams.split('itemID=')[1] itemID = removeShareConfirmParams.split('itemID=')[1]
if '&' in itemID: if '&' in itemID:
itemID = itemID.split('&')[0] itemID = itemID.split('&')[0]