X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/a1d59523f422c3674a39b0d65ea2c97acca7ede8..e6dc550637caaf1099fe8b5f213b7337b9b2f42d:/apps/fileupload/views.py diff --git a/apps/fileupload/views.py b/apps/fileupload/views.py index ab719a19..89ccf081 100644 --- a/apps/fileupload/views.py +++ b/apps/fileupload/views.py @@ -1,11 +1,16 @@ +# -*- coding: utf-8 -*- +# +# This file is part of MIL/PEER, licensed under GNU Affero GPLv3 or later. +# Copyright © Fundacja Nowoczesna Polska. See NOTICE for more information. +# import json import os from urllib import quote from django.conf import settings -from django.http import HttpResponse, HttpResponseRedirect, HttpResponseForbidden, Http404 +from django.http import HttpResponse, Http404 from django.utils.decorators import method_decorator from django.views.decorators.vary import vary_on_headers -from django.views.generic import FormView, View +from django.views.generic import FormView from .forms import UploadForm @@ -31,7 +36,26 @@ class JSONResponse(HttpResponse): super(JSONResponse, self).__init__(content, mimetype, *args, **kwargs) -class UploadView(FormView): +class UploadViewMixin(object): + def get_safe_path(self, filename=""): + """Finds absolute filesystem path of the browsed dir of file. + + Makes sure it's inside MEDIA_ROOT. + + """ + path = os.path.abspath(os.path.join( + settings.MEDIA_ROOT, + self.get_directory(), + filename)) + if not path.startswith(os.path.abspath(settings.MEDIA_ROOT)): + raise Http404 + if filename: + if not path.startswith(self.get_safe_path()): + raise Http404 + return path + + +class UploadView(UploadViewMixin, FormView): template_name = "fileupload/picture_form.html" form_class = UploadForm @@ -60,7 +84,7 @@ class UploadView(FormView): directory = os.path.dirname(directory) now_path = (os.path.dirname(now_path)) while directory: - crumbs.insert(0, (os.path.basename(directory), now_path+'/')) + crumbs.insert(0, (os.path.basename(directory), now_path + '/')) directory = os.path.dirname(directory) now_path = os.path.dirname(now_path) crumbs.insert(0, ('media', now_path)) @@ -68,23 +92,6 @@ class UploadView(FormView): crumbs = [('media',)] return crumbs - def get_safe_path(self, filename=""): - """Finds absolute filesystem path of the browsed dir of file. - - Makes sure it's inside MEDIA_ROOT. - - """ - path = os.path.abspath(os.path.join( - settings.MEDIA_ROOT, - self.get_directory(), - filename)) - if not path.startswith(os.path.abspath(settings.MEDIA_ROOT)): - raise Http404 - if filename: - if not path.startswith(self.get_safe_path()): - raise Http404 - return path - def get_url(self, filename): """Finds URL of a file in browsed dir.""" return settings.MEDIA_URL + self.get_directory() + quote(filename.encode('utf-8')) @@ -116,7 +123,6 @@ class UploadView(FormView): quote(f.encode('utf-8'))), 'delete_type': "DELETE" }) - thumbnail_url = thumbnail(self.get_directory() + f), files.append(file_info) return JSONResponse(files) else: @@ -136,9 +142,9 @@ class UploadView(FormView): 'name': f.name, 'url': self.get_url(f.name), 'thumbnail_url': thumbnail(self.get_directory() + f.name), - 'delete_url': "%s?file=%s" % ( - self.request.get_full_path(), - quote(f.name.encode('utf-8'))), + 'delete_url': "%s?file=%s" % ( + self.request.get_full_path(), + quote(f.name.encode('utf-8'))), 'delete_type': "DELETE" }) response = JSONResponse(data)