Fixes from test of upload restrictions

pull/1632/head
Ozzieisaacs 4 years ago
parent 8f743b70a4
commit da909ff084

@ -466,62 +466,64 @@ def edit_cc_data(book_id, book, to_save):
def upload_single_file(request, book, book_id): def upload_single_file(request, book, book_id):
# Check and handle Uploaded file # Check and handle Uploaded file
if 'btn-upload-format' in request.files: if 'btn-upload-format' in request.files:
requested_file = request.files['btn-upload-format'] requested_file = request.files['btn-upload-format']
# check for empty request # check for empty request
if requested_file.filename != '': if requested_file.filename != '':
if '.' in requested_file.filename: if not current_user.role_upload():
file_ext = requested_file.filename.rsplit('.', 1)[-1].lower() abort(403)
if file_ext not in constants.EXTENSIONS_UPLOAD and '' not in constants.EXTENSIONS_UPLOAD: if '.' in requested_file.filename:
flash(_("File extension '%(ext)s' is not allowed to be uploaded to this server", ext=file_ext), file_ext = requested_file.filename.rsplit('.', 1)[-1].lower()
category="error") if file_ext not in constants.EXTENSIONS_UPLOAD and '' not in constants.EXTENSIONS_UPLOAD:
flash(_("File extension '%(ext)s' is not allowed to be uploaded to this server", ext=file_ext),
category="error")
return redirect(url_for('web.show_book', book_id=book.id))
else:
flash(_('File to be uploaded must have an extension'), category="error")
return redirect(url_for('web.show_book', book_id=book.id)) return redirect(url_for('web.show_book', book_id=book.id))
else:
flash(_('File to be uploaded must have an extension'), category="error")
return redirect(url_for('web.show_book', book_id=book.id))
file_name = book.path.rsplit('/', 1)[-1] file_name = book.path.rsplit('/', 1)[-1]
filepath = os.path.normpath(os.path.join(config.config_calibre_dir, book.path)) filepath = os.path.normpath(os.path.join(config.config_calibre_dir, book.path))
saved_filename = os.path.join(filepath, file_name + '.' + file_ext) saved_filename = os.path.join(filepath, file_name + '.' + file_ext)
# check if file path exists, otherwise create it, copy file to calibre path and delete temp file # check if file path exists, otherwise create it, copy file to calibre path and delete temp file
if not os.path.exists(filepath): if not os.path.exists(filepath):
try:
os.makedirs(filepath)
except OSError:
flash(_(u"Failed to create path %(path)s (Permission denied).", path=filepath), category="error")
return redirect(url_for('web.show_book', book_id=book.id))
try: try:
os.makedirs(filepath) requested_file.save(saved_filename)
except OSError: except OSError:
flash(_(u"Failed to create path %(path)s (Permission denied).", path=filepath), category="error") flash(_(u"Failed to store file %(file)s.", file=saved_filename), category="error")
return redirect(url_for('web.show_book', book_id=book.id)) return redirect(url_for('web.show_book', book_id=book.id))
try:
requested_file.save(saved_filename)
except OSError:
flash(_(u"Failed to store file %(file)s.", file=saved_filename), category="error")
return redirect(url_for('web.show_book', book_id=book.id))
file_size = os.path.getsize(saved_filename)
is_format = calibre_db.get_book_format(book_id, file_ext.upper())
# Format entry already exists, no need to update the database file_size = os.path.getsize(saved_filename)
if is_format: is_format = calibre_db.get_book_format(book_id, file_ext.upper())
log.warning('Book format %s already existing', file_ext.upper())
else:
try:
db_format = db.Data(book_id, file_ext.upper(), file_size, file_name)
calibre_db.session.add(db_format)
calibre_db.session.commit()
calibre_db.update_title_sort(config)
except OperationalError as e:
calibre_db.session.rollback()
log.error('Database error: %s', e)
flash(_(u"Database error: %(error)s.", error=e), category="error")
return redirect(url_for('web.show_book', book_id=book.id))
# Queue uploader info # Format entry already exists, no need to update the database
uploadText=_(u"File format %(ext)s added to %(book)s", ext=file_ext.upper(), book=book.title) if is_format:
worker.add_upload(current_user.nickname, log.warning('Book format %s already existing', file_ext.upper())
"<a href=\"" + url_for('web.show_book', book_id=book.id) + "\">" + uploadText + "</a>") else:
try:
db_format = db.Data(book_id, file_ext.upper(), file_size, file_name)
calibre_db.session.add(db_format)
calibre_db.session.commit()
calibre_db.update_title_sort(config)
except OperationalError as e:
calibre_db.session.rollback()
log.error('Database error: %s', e)
flash(_(u"Database error: %(error)s.", error=e), category="error")
return redirect(url_for('web.show_book', book_id=book.id))
# Queue uploader info
uploadText=_(u"File format %(ext)s added to %(book)s", ext=file_ext.upper(), book=book.title)
worker.add_upload(current_user.nickname,
"<a href=\"" + url_for('web.show_book', book_id=book.id) + "\">" + uploadText + "</a>")
return uploader.process( return uploader.process(
saved_filename, *os.path.splitext(requested_file.filename), saved_filename, *os.path.splitext(requested_file.filename),
rarExecutable=config.config_rarfile_location) rarExecutable=config.config_rarfile_location)
def upload_cover(request, book): def upload_cover(request, book):
@ -529,6 +531,8 @@ def upload_cover(request, book):
requested_file = request.files['btn-upload-cover'] requested_file = request.files['btn-upload-cover']
# check for empty request # check for empty request
if requested_file.filename != '': if requested_file.filename != '':
if not current_user.role_upload():
abort(403)
ret, message = helper.save_cover(requested_file, book.path) ret, message = helper.save_cover(requested_file, book.path)
if ret is True: if ret is True:
return True return True
@ -609,6 +613,8 @@ def edit_book(book_id):
if not error: if not error:
if to_save["cover_url"]: if to_save["cover_url"]:
if not current_user.role_upload() and to_save["cover_url"] != "":
return "", (403)
result, error = helper.save_cover_from_url(to_save["cover_url"], book.path) result, error = helper.save_cover_from_url(to_save["cover_url"], book.path)
if result is True: if result is True:
book.has_cover = 1 book.has_cover = 1

@ -92,15 +92,19 @@
<label for="rating">{{_('Rating')}}</label> <label for="rating">{{_('Rating')}}</label>
<input type="number" name="rating" id="rating" class="rating input-lg" data-clearable="" value="{% if book.ratings %}{{(book.ratings[0].rating / 2)|int}}{% endif %}"> <input type="number" name="rating" id="rating" class="rating input-lg" data-clearable="" value="{% if book.ratings %}{{(book.ratings[0].rating / 2)|int}}{% endif %}">
</div> </div>
{% if g.user.role_upload() or g.user.role_admin()%}
{% if g.allow_upload %}
<div class="form-group"> <div class="form-group">
<label for="cover_url">{{_('Fetch Cover from URL (JPEG - Image will be downloaded and stored in database)')}}</label> <label for="cover_url">{{_('Fetch Cover from URL (JPEG - Image will be downloaded and stored in database)')}}</label>
<input type="text" class="form-control" name="cover_url" id="cover_url" value=""> <input type="text" class="form-control" name="cover_url" id="cover_url" value="">
</div> </div>
<div class="form-group" aria-label="Upload cover from local drive"> <div class="form-group" aria-label="Upload cover from local drive">
<label class="btn btn-primary btn-file" for="btn-upload-cover">{{ _('Upload Cover from Local Disk') }}</label> <label class="btn btn-primary btn-file" for="btn-upload-cover">{{ _('Upload Cover from Local Disk') }}</label>
<div class="upload-cover-input-text" id="upload-cover"></div> <div class="upload-cover-input-text" id="upload-cover"></div>
<input id="btn-upload-cover" name="btn-upload-cover" type="file" accept=".jpg, .jpeg, .png, .webp"> <input id="btn-upload-cover" name="btn-upload-cover" type="file" accept=".jpg, .jpeg, .png, .webp">
</div> </div>
{% endif %}
{% endif %}
<div class="form-group"> <div class="form-group">
<label for="pubdate">{{_('Published Date')}}</label> <label for="pubdate">{{_('Published Date')}}</label>
<div style="position: relative"> <div style="position: relative">

Loading…
Cancel
Save