From 36e83a9d0108ac56b9538b45ead57efc8b97c5ff Mon Sep 17 00:00:00 2001 From: vabene1111 Date: Sat, 18 Jan 2025 08:57:46 +0100 Subject: [PATCH] restrict local external recipes to superusers and restrict file path/type --- cookbook/provider/local.py | 26 +++++++++++++++----------- cookbook/views/edit.py | 2 +- cookbook/views/new.py | 8 +++++++- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/cookbook/provider/local.py b/cookbook/provider/local.py index 9f3d21005..54ce50ab8 100644 --- a/cookbook/provider/local.py +++ b/cookbook/provider/local.py @@ -12,21 +12,25 @@ class Local(Provider): @staticmethod def import_all(monitor): + if '/etc/' in monitor.path or '/root/' in monitor.path or '/mediafiles/' in monitor.path or '/usr/' in monitor.path: + return False + files = [f for f in listdir(monitor.path) if isfile(join(monitor.path, f))] import_count = 0 for file in files: - path = monitor.path + '/' + file - if not Recipe.objects.filter(file_path__iexact=path, space=monitor.space).exists() and not RecipeImport.objects.filter(file_path=path, space=monitor.space).exists(): - name = os.path.splitext(file)[0] - new_recipe = RecipeImport( - name=name, - file_path=path, - storage=monitor.storage, - space=monitor.space, - ) - new_recipe.save() - import_count += 1 + if file.endswith('.pdf') or file.endswith('.png') or file.endswith('.jpg') or file.endswith('.jpeg') or file.endswith('.gif'): + path = monitor.path + '/' + file + if not Recipe.objects.filter(file_path__iexact=path, space=monitor.space).exists() and not RecipeImport.objects.filter(file_path=path, space=monitor.space).exists(): + name = os.path.splitext(file)[0] + new_recipe = RecipeImport( + name=name, + file_path=path, + storage=monitor.storage, + space=monitor.space, + ) + new_recipe.save() + import_count += 1 log_entry = SyncLog( status='SUCCESS', diff --git a/cookbook/views/edit.py b/cookbook/views/edit.py index bcd874d83..aee28e34f 100644 --- a/cookbook/views/edit.py +++ b/cookbook/views/edit.py @@ -80,7 +80,7 @@ class SyncUpdate(GroupRequiredMixin, UpdateView, SpaceFormMixing): def edit_storage(request, pk): instance: Storage = get_object_or_404(Storage, pk=pk, space=request.space) - if not (instance.created_by == request.user or request.user.is_superuser): + if not request.user.is_superuser: messages.add_message(request, messages.ERROR, _('You cannot edit this storage!')) return HttpResponseRedirect(reverse('list_storage')) diff --git a/cookbook/views/new.py b/cookbook/views/new.py index 8a6f7bab4..44e18997a 100644 --- a/cookbook/views/new.py +++ b/cookbook/views/new.py @@ -58,10 +58,16 @@ class StorageCreate(GroupRequiredMixin, CreateView): obj = form.save(commit=False) obj.created_by = self.request.user obj.space = self.request.space - obj.save() + if self.request.space.demo or settings.HOSTED: messages.add_message(self.request, messages.ERROR, _('This feature is not yet available in the hosted version of tandoor!')) return redirect('index') + + if not self.request.user.is_superuser: + messages.add_message(self.request, messages.ERROR, _('This feature is only available for the instance administrator (superuser)')) + return redirect('index') + + obj.save() return HttpResponseRedirect(reverse('edit_storage', kwargs={'pk': obj.pk})) def get_context_data(self, **kwargs):