mirrors/recipes
1
0
Fork 0
mirror of https://github.com/TandoorRecipes/recipes.git synced 2026-01-01 04:10:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

restrict local external recipes to superusers and restrict file path/type

Browse Source
This commit is contained in:
vabene1111
2025-01-18 08:57:46 +01:00
parent efcd759869
commit 36e83a9d01
3 changed files with 23 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cookbook/provider/local.py
View File

@@ -12,21 +12,25 @@ class Local(Provider):
@staticmethod @staticmethod
def import_all(monitor): def import_all(monitor):
if '/etc/' in monitor.path or '/root/' in monitor.path or '/mediafiles/' in monitor.path or '/usr/' in monitor.path:
return False
files = [f for f in listdir(monitor.path) if isfile(join(monitor.path, f))] files = [f for f in listdir(monitor.path) if isfile(join(monitor.path, f))]
import_count = 0 import_count = 0
for file in files: for file in files:
path = monitor.path + '/' + file if file.endswith('.pdf') or file.endswith('.png') or file.endswith('.jpg') or file.endswith('.jpeg') or file.endswith('.gif'):
if not Recipe.objects.filter(file_path__iexact=path, space=monitor.space).exists() and not RecipeImport.objects.filter(file_path=path, space=monitor.space).exists(): path = monitor.path + '/' + file
name = os.path.splitext(file)[0] if not Recipe.objects.filter(file_path__iexact=path, space=monitor.space).exists() and not RecipeImport.objects.filter(file_path=path, space=monitor.space).exists():
new_recipe = RecipeImport( name = os.path.splitext(file)[0]
name=name, new_recipe = RecipeImport(
file_path=path, name=name,
storage=monitor.storage, file_path=path,
space=monitor.space, storage=monitor.storage,
) space=monitor.space,
new_recipe.save() )
import_count += 1 new_recipe.save()
import_count += 1
log_entry = SyncLog( log_entry = SyncLog(
status='SUCCESS', status='SUCCESS',

2
cookbook/views/edit.py
View File

@@ -80,7 +80,7 @@ class SyncUpdate(GroupRequiredMixin, UpdateView, SpaceFormMixing):
def edit_storage(request, pk): def edit_storage(request, pk):
instance: Storage = get_object_or_404(Storage, pk=pk, space=request.space) instance: Storage = get_object_or_404(Storage, pk=pk, space=request.space)
if not (instance.created_by == request.user or request.user.is_superuser): if not request.user.is_superuser:
messages.add_message(request, messages.ERROR, _('You cannot edit this storage!')) messages.add_message(request, messages.ERROR, _('You cannot edit this storage!'))
return HttpResponseRedirect(reverse('list_storage')) return HttpResponseRedirect(reverse('list_storage'))

8
cookbook/views/new.py
View File

@@ -58,10 +58,16 @@ class StorageCreate(GroupRequiredMixin, CreateView):
obj = form.save(commit=False) obj = form.save(commit=False)
obj.created_by = self.request.user obj.created_by = self.request.user
obj.space = self.request.space obj.space = self.request.space
obj.save()
if self.request.space.demo or settings.HOSTED: if self.request.space.demo or settings.HOSTED:
messages.add_message(self.request, messages.ERROR, _('This feature is not yet available in the hosted version of tandoor!')) messages.add_message(self.request, messages.ERROR, _('This feature is not yet available in the hosted version of tandoor!'))
return redirect('index') return redirect('index')
if not self.request.user.is_superuser:
messages.add_message(self.request, messages.ERROR, _('This feature is only available for the instance administrator (superuser)'))
return redirect('index')
obj.save()
return HttpResponseRedirect(reverse('edit_storage', kwargs={'pk': obj.pk})) return HttpResponseRedirect(reverse('edit_storage', kwargs={'pk': obj.pk}))
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):