CB-4123 validate project permissions

dbeaver · Oct 26, 2023 · 4ec65d9 · 4ec65d9
1 parent cb10e0e
commit 4ec65d9
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 6 deletions.
diff --git a/server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/utils/WebAppUtils.java b/server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/utils/WebAppUtils.java
@@ -16,9 +16,12 @@
  */
 package io.cloudbeaver.utils;
 
+import io.cloudbeaver.DBWebException;
+import io.cloudbeaver.WebProjectImpl;
 import io.cloudbeaver.auth.NoAuthCredentialsProvider;
 import io.cloudbeaver.model.app.WebApplication;
 import io.cloudbeaver.model.app.WebAuthApplication;
+import io.cloudbeaver.model.session.WebSession;
 import org.jkiss.code.NotNull;
 import org.jkiss.code.Nullable;
 import org.jkiss.dbeaver.DBException;
@@ -209,4 +212,12 @@ public static String getGlobalProjectId() {
         return RMProjectType.GLOBAL.getPrefix() + "_" + globalConfigurationName;
     }
 
+    public static WebProjectImpl getProjectById(WebSession webSession, String projectId) throws DBWebException {
+        WebProjectImpl project = webSession.getProjectById(projectId);
+        if (project == null) {
+            throw new DBWebException("Project '" + projectId + "' not found");
+        }
+        return project;
+    }
+
 }
diff --git a/...r/bundles/io.cloudbeaver.service.fs/src/io/cloudbeaver/service/fs/model/WebFSServlet.java b/...r/bundles/io.cloudbeaver.service.fs/src/io/cloudbeaver/service/fs/model/WebFSServlet.java
@@ -21,10 +21,13 @@
 import io.cloudbeaver.server.CBApplication;
 import io.cloudbeaver.service.WebServiceServletBase;
 import io.cloudbeaver.service.fs.DBWServiceFS;
+import io.cloudbeaver.utils.WebAppUtils;
 import org.eclipse.jetty.server.Request;
 import org.jkiss.code.NotNull;
 import org.jkiss.dbeaver.DBException;
 import org.jkiss.dbeaver.model.data.json.JSONUtils;
+import org.jkiss.dbeaver.model.rm.RMConstants;
+import org.jkiss.dbeaver.model.rm.RMProject;
 import org.jkiss.utils.CommonUtils;
 import org.jkiss.utils.IOUtils;
 
@@ -36,6 +39,7 @@
 import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.Map;
 
 public class WebFSServlet extends WebServiceServletBase {
     private static final String PARAM_PROJECT_ID = "projectId";
@@ -57,7 +61,12 @@ protected void processServiceRequest(WebSession session, HttpServletRequest requ
     }
 
     private void doGet(WebSession session, HttpServletRequest request, HttpServletResponse response) throws DBException, IOException {
-        Path path = getPath(session, request.getParameter(PARAM_PROJECT_ID), request.getParameter("fileURI"));
+        String projectId = request.getParameter(PARAM_PROJECT_ID);
+        RMProject project = WebAppUtils.getProjectById(session, projectId).getRMProject();
+        if (!project.hasProjectPermission(RMConstants.PERMISSION_PROJECT_RESOURCE_VIEW)) {
+            throw new DBWebException("The user needs more permissions to load files from File Systems.");
+        }
+        Path path = getPath(session, projectId, request.getParameter("fileURI"));
         session.addInfoMessage("Download data ...");
         response.setHeader("Content-Type", "application/octet-stream");
         response.setHeader("Content-Disposition", "attachment; filename=\"" + path.getFileName() + "\"");
@@ -69,11 +78,12 @@ private void doGet(WebSession session, HttpServletRequest request, HttpServletRe
     }
 
     private void doPost(WebSession session, HttpServletRequest request, HttpServletResponse response) throws DBException {
-        // Hack for getting request params
-        request.setAttribute(Request.__MULTIPART_CONFIG_ELEMENT, new MultipartConfigElement(""));
-        String projectId = JSONUtils.getString(getVariables(request), PARAM_PROJECT_ID);
-        String uri = JSONUtils.getString(getVariables(request), "parentURI");
-        Path path = getPath(session, projectId, uri);
+        String projectId = request.getParameter(PARAM_PROJECT_ID);
+        RMProject project = WebAppUtils.getProjectById(session, projectId).getRMProject();
+        if (!project.hasProjectPermission(RMConstants.PERMISSION_PROJECT_RESOURCE_EDIT)) {
+            throw new DBWebException("The user needs more permissions to upload files to File Systems.");
+        }
+        Path path = getPath(session, projectId, request.getParameter("parentURI"));
         // set the final location of parent folder
         request.setAttribute(Request.__MULTIPART_CONFIG_ELEMENT, new MultipartConfigElement(path.toString()));
         try {