Fixed access to shelfs

This commit is contained in:
Ozzie Isaacs 2022-01-28 20:01:33 +01:00
parent 17b4643b7c
commit 42f8209a4a
3 changed files with 41 additions and 39 deletions

View File

@ -31,7 +31,7 @@ To receive fixes for security vulnerabilities it is required to always upgrade t
| V 0.6.15 | Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo || | V 0.6.15 | Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo ||
| V 0.6.16 | JavaScript could get executed on authors page. Thanks to @alicaz || | V 0.6.16 | JavaScript could get executed on authors page. Thanks to @alicaz ||
| V 0.6.16 | Localhost can no longer be used to upload covers. Thanks to @scara31 || | V 0.6.16 | Localhost can no longer be used to upload covers. Thanks to @scara31 ||
| V 0.6.16 | Another case where public shelfs could be created without permission is prevented. Thanks to @ibarrionuevo || | V 0.6.16 | Another case where public shelfs could be created without permission is prevented. Thanks to @nhiephon ||
## Staement regarding Log4j (CVE-2021-44228 and related) ## Staement regarding Log4j (CVE-2021-44228 and related)

View File

@ -552,11 +552,9 @@ def HandleTagUpdate(tag_id):
else: else:
abort(404, description="Collection isn't known to CalibreWeb") abort(404, description="Collection isn't known to CalibreWeb")
if not shelf_lib.check_shelf_edit_permissions(shelf):
abort(401, description="User is unauthaurized to edit shelf.")
if request.method == "DELETE": if request.method == "DELETE":
shelf_lib.delete_shelf_helper(shelf) if not shelf_lib.delete_shelf_helper(shelf):
abort(401, description="Error deleting Shelf")
else: else:
name = None name = None
try: try:

View File

@ -23,7 +23,7 @@
import sys import sys
from datetime import datetime from datetime import datetime
from flask import Blueprint, flash, redirect, request, url_for from flask import Blueprint, flash, redirect, request, url_for, abort
from flask_babel import gettext as _ from flask_babel import gettext as _
from flask_login import current_user, login_required from flask_login import current_user, login_required
from sqlalchemy.exc import InvalidRequestError, OperationalError from sqlalchemy.exc import InvalidRequestError, OperationalError
@ -39,10 +39,10 @@ log = logger.create()
def check_shelf_edit_permissions(cur_shelf): def check_shelf_edit_permissions(cur_shelf):
if not cur_shelf.is_public and not cur_shelf.user_id == int(current_user.id): if not cur_shelf.is_public and not cur_shelf.user_id == int(current_user.id):
log.error("User %s not allowed to edit shelf %s", current_user, cur_shelf) log.error("User {} not allowed to edit shelf: {}".format(current_user.id, cur_shelf.name))
return False return False
if cur_shelf.is_public and not current_user.role_edit_shelfs(): if cur_shelf.is_public and not current_user.role_edit_shelfs():
log.info("User %s not allowed to edit public shelves", current_user) log.info("User {} not allowed to edit public shelves".format(current_user.id))
return False return False
return True return True
@ -51,7 +51,7 @@ def check_shelf_view_permissions(cur_shelf):
if cur_shelf.is_public: if cur_shelf.is_public:
return True return True
if current_user.is_anonymous or cur_shelf.user_id != current_user.id: if current_user.is_anonymous or cur_shelf.user_id != current_user.id:
log.error("User is unauthorized to view non-public shelf: %s", cur_shelf) log.error("User is unauthorized to view non-public shelf: {}".format(cur_shelf.name))
return False return False
return True return True
@ -117,7 +117,7 @@ def add_to_shelf(shelf_id, book_id):
def search_to_shelf(shelf_id): def search_to_shelf(shelf_id):
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
if shelf is None: if shelf is None:
log.error("Invalid shelf specified: %s", shelf_id) log.error("Invalid shelf specified: {}".format(shelf_id))
flash(_(u"Invalid shelf specified"), category="error") flash(_(u"Invalid shelf specified"), category="error")
return redirect(url_for('web.index')) return redirect(url_for('web.index'))
@ -228,7 +228,6 @@ def create_shelf():
return create_edit_shelf(shelf, page_title=_(u"Create a Shelf"), page="shelfcreate") return create_edit_shelf(shelf, page_title=_(u"Create a Shelf"), page="shelfcreate")
@shelf.route("/shelf/edit/<int:shelf_id>", methods=["GET", "POST"]) @shelf.route("/shelf/edit/<int:shelf_id>", methods=["GET", "POST"])
@login_required @login_required
def edit_shelf(shelf_id): def edit_shelf(shelf_id):
@ -320,12 +319,13 @@ def check_shelf_is_unique(shelf, title, is_public, shelf_id=False):
def delete_shelf_helper(cur_shelf): def delete_shelf_helper(cur_shelf):
if not cur_shelf or not check_shelf_edit_permissions(cur_shelf): if not cur_shelf or not check_shelf_edit_permissions(cur_shelf):
return return False
shelf_id = cur_shelf.id shelf_id = cur_shelf.id
ub.session.delete(cur_shelf) ub.session.delete(cur_shelf)
ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id).delete() ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id).delete()
ub.session.add(ub.ShelfArchive(uuid=cur_shelf.uuid, user_id=cur_shelf.user_id)) ub.session.add(ub.ShelfArchive(uuid=cur_shelf.uuid, user_id=cur_shelf.user_id))
ub.session_commit("successfully deleted Shelf {}".format(cur_shelf.name)) ub.session_commit("successfully deleted Shelf {}".format(cur_shelf.name))
return True
@shelf.route("/shelf/delete/<int:shelf_id>", methods=["POST"]) @shelf.route("/shelf/delete/<int:shelf_id>", methods=["POST"])
@ -333,8 +333,10 @@ def delete_shelf_helper(cur_shelf):
def delete_shelf(shelf_id): def delete_shelf(shelf_id):
cur_shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() cur_shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
try: try:
delete_shelf_helper(cur_shelf) if not delete_shelf_helper(cur_shelf):
flash(_("Shelf successfully deleted"), category="success") flash(_("Error deleting Shelf"), category="error")
else:
flash(_("Shelf successfully deleted"), category="success")
except InvalidRequestError: except InvalidRequestError:
ub.session.rollback() ub.session.rollback()
log.error("Settings DB is not Writeable") log.error("Settings DB is not Writeable")
@ -359,32 +361,35 @@ def show_shelf(shelf_id, sort_param, page):
@shelf.route("/shelf/order/<int:shelf_id>", methods=["GET", "POST"]) @shelf.route("/shelf/order/<int:shelf_id>", methods=["GET", "POST"])
@login_required @login_required
def order_shelf(shelf_id): def order_shelf(shelf_id):
if request.method == "POST":
to_save = request.form.to_dict()
books_in_shelf = ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id).order_by(
ub.BookShelf.order.asc()).all()
counter = 0
for book in books_in_shelf:
setattr(book, 'order', to_save[str(book.book_id)])
counter += 1
# if order diffrent from before -> shelf.last_modified = datetime.utcnow()
try:
ub.session.commit()
except (OperationalError, InvalidRequestError):
ub.session.rollback()
log.error("Settings DB is not Writeable")
flash(_("Settings DB is not Writeable"), category="error")
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
result = list()
if shelf and check_shelf_view_permissions(shelf): if shelf and check_shelf_view_permissions(shelf):
result = calibre_db.session.query(db.Books) \ if request.method == "POST":
.join(ub.BookShelf, ub.BookShelf.book_id == db.Books.id, isouter=True) \ to_save = request.form.to_dict()
.add_columns(calibre_db.common_filters().label("visible")) \ books_in_shelf = ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id).order_by(
.filter(ub.BookShelf.shelf == shelf_id).order_by(ub.BookShelf.order.asc()).all() ub.BookShelf.order.asc()).all()
return render_title_template('shelf_order.html', entries=result, counter = 0
title=_(u"Change order of Shelf: '%(name)s'", name=shelf.name), for book in books_in_shelf:
shelf=shelf, page="shelforder") setattr(book, 'order', to_save[str(book.book_id)])
counter += 1
# if order diffrent from before -> shelf.last_modified = datetime.utcnow()
try:
ub.session.commit()
except (OperationalError, InvalidRequestError):
ub.session.rollback()
log.error("Settings DB is not Writeable")
flash(_("Settings DB is not Writeable"), category="error")
result = list()
if shelf:
result = calibre_db.session.query(db.Books) \
.join(ub.BookShelf, ub.BookShelf.book_id == db.Books.id, isouter=True) \
.add_columns(calibre_db.common_filters().label("visible")) \
.filter(ub.BookShelf.shelf == shelf_id).order_by(ub.BookShelf.order.asc()).all()
return render_title_template('shelf_order.html', entries=result,
title=_(u"Change order of Shelf: '%(name)s'", name=shelf.name),
shelf=shelf, page="shelforder")
else:
abort(404)
def change_shelf_order(shelf_id, order): def change_shelf_order(shelf_id, order):
@ -404,7 +409,6 @@ def render_show_shelf(shelf_type, shelf_id, page_no, sort_param):
# check user is allowed to access shelf # check user is allowed to access shelf
if shelf and check_shelf_view_permissions(shelf): if shelf and check_shelf_view_permissions(shelf):
if shelf_type == 1: if shelf_type == 1:
# order = [ub.BookShelf.order.asc()] # order = [ub.BookShelf.order.asc()]
if sort_param == 'pubnew': if sort_param == 'pubnew':