indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Ensure that permissions are enforced when removing shared items

merge-requests/30/head
Bob Mottram 2021-07-28 21:41:57 +01:00
parent b5fc769af3
commit 7b0c9bc03d
1 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
daemon.py
View File

@ -3344,7 +3344,7 @@ class PubServer(BaseHTTPRequestHandler):
self.server.POSTbusy = False
return
if '&submitYes=' in removeShareConfirmParams:
if '&submitYes=' in removeShareConfirmParams and authorized:
removeShareConfirmParams = \
removeShareConfirmParams.replace('+', ' ').strip()
removeShareConfirmParams = \
@ -3352,15 +3352,22 @@ class PubServer(BaseHTTPRequestHandler):
shareActor = removeShareConfirmParams.split('actor=')[1]
if '&' in shareActor:
shareActor = shareActor.split('&')[0]
itemID = removeShareConfirmParams.split('itemID=')[1]
if '&' in itemID:
itemID = itemID.split('&')[0]
shareNickname = getNicknameFromActor(shareActor)
if shareNickname:
shareDomain, sharePort = getDomainFromActor(shareActor)
removeSharedItem(baseDir,
shareNickname, shareDomain, itemID,
httpPrefix, domainFull)
adminNickname = getConfigParam(baseDir, 'admin')
adminActor = \
httpPrefix + '://' + domainFull + '/users' + adminNickname
actor = originPathStr
actorNickname = getNicknameFromActor(actor)
if actor == shareActor or actor == adminActor or \
isModerator(baseDir, actorNickname):
itemID = removeShareConfirmParams.split('itemID=')[1]
if '&' in itemID:
itemID = itemID.split('&')[0]
shareNickname = getNicknameFromActor(shareActor)
if shareNickname:
shareDomain, sharePort = getDomainFromActor(shareActor)
removeSharedItem(baseDir,
shareNickname, shareDomain, itemID,
httpPrefix, domainFull)
if callingDomain.endswith('.onion') and onionDomain:
originPathStr = 'http://' + onionDomain + usersPath