Fixed user can download their own files

This commit is contained in:
Pünkösd Marcell 2020-11-28 23:08:07 +01:00
parent d73b63d85d
commit ed6d23c536
5 changed files with 33 additions and 20 deletions

View File

@ -4,14 +4,14 @@
<h3 class="card-header">Animation by {{ item.uploader.name }}</h3> <h3 class="card-header">Animation by {{ item.uploader.name }}</h3>
<div class="card-body"> <div class="card-body">
<h4> <h4>
<p class="card-text">{{ item.name }}</p> {{ item.name }}
</h4> </h4>
<img src="{{ url_for('ContentView:preview', id_=item.id) }}" class="card-img" style="padding: 30px" <img src="{{ url_for('ContentView:preview', id_=item.id) }}" class="card-img" style="padding: 30px"
alt="{{ item.name }}"> alt="{{ item.name }}">
<div class="card-text text-center"> <div class="card-text text-center">
{% if purchased %} {% if can_download %}
<a href="{{ url_for('ContentView:caff', id_=item.id) }}" class="btn btn-lg btn-success" <a href="{{ url_for('ContentView:caff', id_=item.id) }}" class="btn btn-lg btn-success"
target="_self">Download</a> target="_self">Download</a>
{% else %} {% else %}

View File

@ -5,3 +5,4 @@ from .storage import storage
from .md5stuffs import calculate_md5_sum_for_file, write_file_from_stream_to_file_like_while_calculating_md5 from .md5stuffs import calculate_md5_sum_for_file, write_file_from_stream_to_file_like_while_calculating_md5
from .exceptions import FileIntegrityError from .exceptions import FileIntegrityError
from .caff_previewer import create_caff_preview from .caff_previewer import create_caff_preview
from .common_queries import user_can_access_caff

View File

@ -0,0 +1,15 @@
from flask_security import current_user
from models import db, Purchase, Item
def user_can_access_caff(item: Item) -> bool:
if not current_user.is_authenticated:
return False
else:
if item.uploader == current_user:
return True
else:
p = Purchase.query.filter(
db.and_(Purchase.purchaser_id == current_user.id, Purchase.item_id == item.id)).first()
return bool(p)

View File

@ -7,7 +7,9 @@ from flask_security import login_required, current_user
from utils import storage from utils import storage
from minio.error import NoSuchKey from minio.error import NoSuchKey
from models import db, Item, Purchase from utils import user_can_access_caff
from models import db, Item
class ContentView(FlaskView): class ContentView(FlaskView):
@ -29,22 +31,21 @@ class ContentView(FlaskView):
def preview(self, id_: int): def preview(self, id_: int):
i = Item.query.get_or_404(id_) i = Item.query.get_or_404(id_)
return self._stream_from_minio(current_app.config['MINIO_PREVIEW_BUCKET_NAME'], i.id) return self._stream_from_minio(current_app.config['MINIO_PREVIEW_BUCKET_NAME'], i.id)
@login_required @login_required
def caff(self, id_: int): def caff(self, id_: int):
p = Purchase.query.filter(db.and_(Purchase.purchaser_id == current_user.id, Purchase.item_id == id_)).first() item = Item.query.get_or_404(id_)
if not p: if not user_can_access_caff(item):
abort(403) abort(403)
allowed_chars = string.ascii_lowercase + string.ascii_uppercase + string.digits allowed_chars = string.ascii_lowercase + string.ascii_uppercase + string.digits
filename = ''.join(filter(lambda x: x in allowed_chars, p.item.name)).lower() filename = ''.join(filter(lambda x: x in allowed_chars, item.name)).lower()
if not filename: if not filename:
filename = str(p.item.id) filename = str(item.id)
filename += f'_{p.id}.caff' filename += '.caff'
return self._stream_from_minio(current_app.config['MINIO_CAFF_BUCKET_NAME'], p.item.id, filename) return self._stream_from_minio(current_app.config['MINIO_CAFF_BUCKET_NAME'], item.id, filename)

View File

@ -3,7 +3,9 @@ from flask import render_template, request, flash, redirect, url_for, current_ap
from flask_classful import FlaskView from flask_classful import FlaskView
from flask_security import current_user, login_required from flask_security import current_user, login_required
from models import db, Comment, Item, Purchase from utils import user_can_access_caff
from models import db, Comment, Item
import bleach import bleach
""" """
@ -20,15 +22,9 @@ class ItemView(FlaskView):
def get(self, id_: int): def get(self, id_: int):
item = Item.query.get_or_404(id_) item = Item.query.get_or_404(id_)
can_download = user_can_access_caff(item)
if not current_user.is_authenticated: return render_template('item.html', item=item, can_download=can_download)
purchased = False
else:
p = Purchase.query.filter(
db.and_(Purchase.purchaser_id == current_user.id, Purchase.item_id == id_)).first()
purchased = bool(p)
return render_template('item.html', item=item, purchased=purchased)
@login_required @login_required
def post(self, id_: int): def post(self, id_: int):