restrict local external recipes to superusers and restrict file path/type

2026-01-01 04:10:06 -05:00 · 2025-01-18 08:57:46 +01:00
parent efcd759869
commit 36e83a9d01
3 changed files with 23 additions and 13 deletions
--- a/cookbook/provider/local.py
+++ b/cookbook/provider/local.py
@@ -12,21 +12,25 @@ class Local(Provider):

    @staticmethod
    def import_all(monitor):
+        if '/etc/' in monitor.path or '/root/' in monitor.path or '/mediafiles/' in monitor.path or '/usr/' in monitor.path:
+            return False
+
        files = [f for f in listdir(monitor.path) if isfile(join(monitor.path, f))]

        import_count = 0
        for file in files:
-            path = monitor.path + '/' + file
-            if not Recipe.objects.filter(file_path__iexact=path, space=monitor.space).exists() and not RecipeImport.objects.filter(file_path=path, space=monitor.space).exists():
-                name = os.path.splitext(file)[0]
-                new_recipe = RecipeImport(
-                    name=name,
-                    file_path=path,
-                    storage=monitor.storage,
-                    space=monitor.space,
-                )
-                new_recipe.save()
-                import_count += 1
+            if file.endswith('.pdf') or file.endswith('.png') or file.endswith('.jpg') or file.endswith('.jpeg') or file.endswith('.gif'):
+                path = monitor.path + '/' + file
+                if not Recipe.objects.filter(file_path__iexact=path, space=monitor.space).exists() and not RecipeImport.objects.filter(file_path=path, space=monitor.space).exists():
+                    name = os.path.splitext(file)[0]
+                    new_recipe = RecipeImport(
+                        name=name,
+                        file_path=path,
+                        storage=monitor.storage,
+                        space=monitor.space,
+                    )
+                    new_recipe.save()
+                    import_count += 1

        log_entry = SyncLog(
            status='SUCCESS',
--- a/cookbook/views/edit.py
+++ b/cookbook/views/edit.py
@@ -80,7 +80,7 @@ class SyncUpdate(GroupRequiredMixin, UpdateView, SpaceFormMixing):
 def edit_storage(request, pk):
    instance: Storage = get_object_or_404(Storage, pk=pk, space=request.space)

-    if not (instance.created_by == request.user or request.user.is_superuser):
+    if not request.user.is_superuser:
        messages.add_message(request, messages.ERROR, _('You cannot edit this storage!'))
        return HttpResponseRedirect(reverse('list_storage'))

--- a/cookbook/views/new.py
+++ b/cookbook/views/new.py
@@ -58,10 +58,16 @@ class StorageCreate(GroupRequiredMixin, CreateView):
        obj = form.save(commit=False)
        obj.created_by = self.request.user
        obj.space = self.request.space
-        obj.save()
+
        if self.request.space.demo or settings.HOSTED:
            messages.add_message(self.request, messages.ERROR, _('This feature is not yet available in the hosted version of tandoor!'))
            return redirect('index')
+
+        if not self.request.user.is_superuser:
+            messages.add_message(self.request, messages.ERROR, _('This feature is only available for the instance administrator (superuser)'))
+            return redirect('index')
+
+        obj.save()
        return HttpResponseRedirect(reverse('edit_storage', kwargs={'pk': obj.pk}))

    def get_context_data(self, **kwargs):