← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to www/common/studpath.py

  • Committer: mattgiuca
  • Date: 2008-01-22 02:16:13 UTC
  • Revision ID: svn-v3-trunk0:2b9c9e99-6f39-0410-b283-7f802c844ae2:trunk:262
studpath: Added "authorize" function which checks the logged in user against
the path they are trying to access.
fileservice, server, download: Call authorize before doing anything.
    Note: server does a bit more because in public mode it checks svn status
    instead of calling studpath.authorize (NYI).

Show diffs side-by-side

added added

removed removed

Lines of Context:
www/common/studpath.py
21
21
 
22
22
# Provides functions for translating URLs into physical locations in the
23
23
# student directories in the local file system.
 
24
# Also performs common authorization, disallowing students from visiting paths
 
25
# they dont own.
24
26
 
25
27
import os
26
28
 
93
95
    path = os.path.join('home', urlpath)
94
96
 
95
97
    return (user, jail, path)
 
98
 
 
99
def authorize(req):
 
100
    """Given a request, checks whether req.username is allowed to
 
101
    access req.path. Returns None on authorization success. Raises
 
102
    HTTP_FORBIDDEN on failure.
 
103
 
 
104
    This is for general authorization (assuming not in public mode; this is
 
105
    the standard auth code for fileservice, download and serve).
 
106
    """
 
107
    # TODO: Groups
 
108
    # First normalise the path
 
109
    urlpath = os.path.normpath(req.path)
 
110
    # Now if it begins with ".." or separator, then it's illegal
 
111
    if urlpath.startswith("..") or urlpath.startswith(os.sep):
 
112
        req.throw_error(req.HTTP_FORBIDDEN)
 
113
 
 
114
    (owner, _) = util.split_path(urlpath)
 
115
    if req.username != owner:
 
116
        req.throw_error(req.HTTP_FORBIDDEN)