Главная Обзор Помощь
Вход
221V
/
Misago
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: f23e09c835
Ветки Метки
Misago
/
misago
/
threads
/
views
/
attachment.py

attachment.py 2.2 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. from __future__ import unicode_literals
    2. 

  2. 

  3. import os
    4. 

  4. 

  5. from django.core.exceptions import PermissionDenied
    6. 

  6. from django.db.models import F
    7. 

  7. from django.http import Http404
    8. 

  8. from django.shortcuts import get_object_or_404, redirect
    9. 

  9. 

  10. from misago.conf import settings
    11. 

  11. 

  12. from ..models import Attachment, AttachmentType
    13. 

  13. 

  14. 

  15. ATTACHMENT_404_URL = ''.join((settings.STATIC_URL, settings.MISAGO_404_IMAGE))
    16. 

  16. ATTACHMENT_403_URL = ''.join((settings.STATIC_URL, settings.MISAGO_403_IMAGE))
    17. 

  17. 

  18. 

  19. def attachment_server(request, pk, secret, thumbnail=False):
    20. 

  20.     try:
    21. 

  21.         url = serve_file(request, pk, secret, thumbnail)
    22. 

  22.         return redirect(url)
    23. 

  23.     except Http404:
    24. 

  24.         return redirect(ATTACHMENT_404_URL)
    25. 

  25.     except PermissionDenied:
    26. 

  26.         return redirect(ATTACHMENT_403_URL)
    27. 

  27. 

  28. 

  29. def serve_file(request, pk, secret, thumbnail):
    30. 

  30.     queryset = Attachment.objects.select_related('filetype')
    31. 

  31.     attachment = get_object_or_404(queryset, pk=pk, secret=secret)
    32. 

  32. 

  33.     if not attachment.post_id and request.GET.get('shva') != '1':
    34. 

  34.         # if attachment is orphaned, don't run acl test unless explictly told so
    35. 

  35.         # this saves user suprise of deleted attachment still showing in posts/quotes
    36. 

  36.         raise Http404()
    37. 

  37. 

  38.     if not request.user.is_staff:
    39. 

  39.         allow_file_download(request, attachment)
    40. 

  40. 

  41.     if attachment.is_image:
    42. 

  42.         if thumbnail:
    43. 

  43.             return attachment.thumbnail.url
    44. 

  44.         else:
    45. 

  45.             return attachment.image.url
    46. 

  46.     else:
    47. 

  47.         if thumbnail:
    48. 

  48.             raise Http404()
    49. 

  49.         else:
    50. 

  50.             return attachment.file.url
    51. 

  51. 

  52. 

  53. def allow_file_download(request, attachment):
    54. 

  54.     is_authenticated = request.user.is_authenticated()
    55. 

  55. 

  56.     if not is_authenticated or request.user.id != attachment.uploader_id:
    57. 

  57.         if not attachment.post_id:
    58. 

  58.             raise Http404()
    59. 

  59.         if not request.user.acl['can_download_other_users_attachments']:
    60. 

  60.             raise PermissionDenied()
    61. 

  61. 

  62.     allowed_roles = set(r.pk for r in attachment.filetype.limit_downloads_to.all())
    63. 

  63.     if allowed_roles:
    64. 

  64.         user_roles = set(r.pk for r in request.user.get_roles())
    65. 

  65.         if not user_roles & allowed_roles:
    66. 

  66.             raise PermissionDenied()
    67. 

  67. 

  68.     if attachment.filetype.status == AttachmentType.DISABLED:
    69. 

  69.         raise PermissionDenied()
    70.