indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Ensure that permissions are enforced when removing shared items

merge-requests/30/head
Bob Mottram 2021-07-28 21:41:57 +01:00
parent b5fc769af3
commit 7b0c9bc03d
1 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
daemon.py
View File

@ -3344,7 +3344,7 @@ class PubServer(BaseHTTPRequestHandler):
self.server.POSTbusy = False self.server.POSTbusy = False
return return
if '&submitYes=' in removeShareConfirmParams: if '&submitYes=' in removeShareConfirmParams and authorized:
removeShareConfirmParams = \ removeShareConfirmParams = \
removeShareConfirmParams.replace('+', ' ').strip() removeShareConfirmParams.replace('+', ' ').strip()
removeShareConfirmParams = \ removeShareConfirmParams = \
@ -3352,15 +3352,22 @@ class PubServer(BaseHTTPRequestHandler):
shareActor = removeShareConfirmParams.split('actor=')[1] shareActor = removeShareConfirmParams.split('actor=')[1]
if '&' in shareActor: if '&' in shareActor:
shareActor = shareActor.split('&')[0] shareActor = shareActor.split('&')[0]
itemID = removeShareConfirmParams.split('itemID=')[1] adminNickname = getConfigParam(baseDir, 'admin')
if '&' in itemID: adminActor = \
itemID = itemID.split('&')[0] httpPrefix + '://' + domainFull + '/users' + adminNickname
shareNickname = getNicknameFromActor(shareActor) actor = originPathStr
if shareNickname: actorNickname = getNicknameFromActor(actor)
shareDomain, sharePort = getDomainFromActor(shareActor) if actor == shareActor or actor == adminActor or \
removeSharedItem(baseDir, isModerator(baseDir, actorNickname):
shareNickname, shareDomain, itemID, itemID = removeShareConfirmParams.split('itemID=')[1]
httpPrefix, domainFull) if '&' in itemID:
itemID = itemID.split('&')[0]
shareNickname = getNicknameFromActor(shareActor)
if shareNickname:
shareDomain, sharePort = getDomainFromActor(shareActor)
removeSharedItem(baseDir,
shareNickname, shareDomain, itemID,
httpPrefix, domainFull)
if callingDomain.endswith('.onion') and onionDomain: if callingDomain.endswith('.onion') and onionDomain:
originPathStr = 'http://' + onionDomain + usersPath originPathStr = 'http://' + onionDomain + usersPath