Home Explore Help
Sign In
221V
/
Misago
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 0.30.0.dev
Branches Tags
Misago
/
misago
/
threads
/
views
/
attachment.py

attachment.py 2.3 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. from django.templatetags.static import static
    2. 

  2. from django.core.exceptions import PermissionDenied
    3. 

  3. from django.http import Http404
    4. 

  4. from django.shortcuts import get_object_or_404, redirect
    5. 

  5. 

  6. from ...conf import settings
    7. 

  7. from ..models import Attachment, AttachmentType
    8. 

  8. 

  9. 

  10. def attachment_server(request, pk, secret, thumbnail=False):
    11. 

  11.     try:
    12. 

  12.         url = serve_file(request, pk, secret, thumbnail)
    13. 

  13.         return redirect(url)
    14. 

  14.     except PermissionDenied:
    15. 

  15.         error_image = request.settings.attachment_403_image
    16. 

  16.         if not error_image:
    17. 

  17.             error_image = static(settings.MISAGO_ATTACHMENT_403_IMAGE)
    18. 

  18.         return redirect(error_image)
    19. 

  19.     except Http404:
    20. 

  20.         error_image = request.settings.attachment_404_image
    21. 

  21.         if not error_image:
    22. 

  22.             error_image = static(settings.MISAGO_ATTACHMENT_404_IMAGE)
    23. 

  23.         return redirect(error_image)
    24. 

  24. 

  25. 

  26. def serve_file(request, pk, secret, thumbnail):
    27. 

  27.     queryset = Attachment.objects.select_related("filetype")
    28. 

  28.     attachment = get_object_or_404(queryset, pk=pk, secret=secret)
    29. 

  29. 

  30.     if not attachment.post_id and request.GET.get("shva") != "1":
    31. 

  31.         # if attachment is orphaned, don't run acl test unless explicitly told so
    32. 

  32.         # this saves user suprise of deleted attachment still showing in posts/quotes
    33. 

  33.         raise Http404()
    34. 

  34. 

  35.     if not request.user.is_staff:
    36. 

  36.         allow_file_download(request, attachment)
    37. 

  37. 

  38.     if attachment.is_image:
    39. 

  39.         if thumbnail and attachment.thumbnail:
    40. 

  40.             return attachment.thumbnail.url
    41. 

  41.         return attachment.image.url
    42. 

  42. 

  43.     if thumbnail:
    44. 

  44.         raise Http404()
    45. 

  45.     return attachment.file.url
    46. 

  46. 

  47. 

  48. def allow_file_download(request, attachment):
    49. 

  49.     is_authenticated = request.user.is_authenticated
    50. 

  50. 

  51.     if not is_authenticated or request.user.id != attachment.uploader_id:
    52. 

  52.         if not attachment.post_id:
    53. 

  53.             raise Http404()
    54. 

  54.         if not request.user_acl["can_download_other_users_attachments"]:
    55. 

  55.             raise PermissionDenied()
    56. 

  56. 

  57.     allowed_roles = set(r.pk for r in attachment.filetype.limit_downloads_to.all())
    58. 

  58.     if allowed_roles:
    59. 

  59.         user_roles = set(r.pk for r in request.user.get_roles())
    60. 

  60.         if not user_roles & allowed_roles:
    61. 

  61.             raise PermissionDenied()
    62. 

  62. 

  63.     if attachment.filetype.status == AttachmentType.DISABLED:
    64. 

  64.         raise PermissionDenied()
    65.