Fixes from test of upload restrictions

4 years ago · da909ff084
parent 8f743b70a4
commit da909ff084
2 changed files with 59 additions and 49 deletions
--- a/cps/editbooks.py
+++ b/cps/editbooks.py
@ -469,6 +469,8 @@ def upload_single_file(request, book, book_id):
            requested_file = request.files['btn-upload-format']
            # check for empty request
            if requested_file.filename != '':
+                if not current_user.role_upload():
+                    abort(403)
                if '.' in requested_file.filename:
                    file_ext = requested_file.filename.rsplit('.', 1)[-1].lower()
                    if file_ext not in constants.EXTENSIONS_UPLOAD and '' not in constants.EXTENSIONS_UPLOAD:
@ -529,6 +531,8 @@ def upload_cover(request, book):
        requested_file = request.files['btn-upload-cover']
        # check for empty request
        if requested_file.filename != '':
+            if not current_user.role_upload():
+                abort(403)
            ret, message = helper.save_cover(requested_file, book.path)
            if ret is True:
                return True
@ -609,6 +613,8 @@ def edit_book(book_id):

        if not error:
            if to_save["cover_url"]:
+                if not current_user.role_upload() and to_save["cover_url"] != "":
+                    return "", (403)
                result, error = helper.save_cover_from_url(to_save["cover_url"], book.path)
                if result is True:
                    book.has_cover = 1
--- a/cps/templates/book_edit.html
+++ b/cps/templates/book_edit.html
@ -92,6 +92,8 @@
      <label for="rating">{{_('Rating')}}</label>
      <input type="number"  name="rating" id="rating" class="rating input-lg" data-clearable="" value="{% if book.ratings %}{{(book.ratings[0].rating / 2)|int}}{% endif %}">
    </div>
+    {% if g.user.role_upload() or g.user.role_admin()%}
+      {% if g.allow_upload %}
    <div class="form-group">
      <label for="cover_url">{{_('Fetch Cover from URL (JPEG - Image will be downloaded and stored in database)')}}</label>
      <input type="text" class="form-control" name="cover_url" id="cover_url" value="">
@ -101,6 +103,8 @@
        <div class="upload-cover-input-text" id="upload-cover"></div>
        <input id="btn-upload-cover" name="btn-upload-cover" type="file" accept=".jpg, .jpeg, .png, .webp">
      </div>
+      {% endif %}
+    {% endif %}
    <div class="form-group">
      <label for="pubdate">{{_('Published Date')}}</label>
      <div style="position: relative">