NunoSempere/calibre-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixes from test of upload restrictions

Browse Source
This commit is contained in:
Ozzieisaacs 2020-09-23 20:50:34 +02:00
parent 8f743b70a4
commit da909ff084
2 changed files with 60 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cps/editbooks.py
View File

@ -469,6 +469,8 @@ def upload_single_file(request, book, book_id):
requested_file = request.files['btn-upload-format'] requested_file = request.files['btn-upload-format']
# check for empty request # check for empty request
if requested_file.filename != '': if requested_file.filename != '':
if not current_user.role_upload():
abort(403)
if '.' in requested_file.filename: if '.' in requested_file.filename:
file_ext = requested_file.filename.rsplit('.', 1)[-1].lower() file_ext = requested_file.filename.rsplit('.', 1)[-1].lower()
if file_ext not in constants.EXTENSIONS_UPLOAD and '' not in constants.EXTENSIONS_UPLOAD: if file_ext not in constants.EXTENSIONS_UPLOAD and '' not in constants.EXTENSIONS_UPLOAD:
@ -529,6 +531,8 @@ def upload_cover(request, book):
requested_file = request.files['btn-upload-cover'] requested_file = request.files['btn-upload-cover']
# check for empty request # check for empty request
if requested_file.filename != '': if requested_file.filename != '':
if not current_user.role_upload():
abort(403)
ret, message = helper.save_cover(requested_file, book.path) ret, message = helper.save_cover(requested_file, book.path)
if ret is True: if ret is True:
return True return True
@ -609,6 +613,8 @@ def edit_book(book_id):
if not error: if not error:
if to_save["cover_url"]: if to_save["cover_url"]:
if not current_user.role_upload() and to_save["cover_url"] != "":
return "", (403)
result, error = helper.save_cover_from_url(to_save["cover_url"], book.path) result, error = helper.save_cover_from_url(to_save["cover_url"], book.path)
if result is True: if result is True:
book.has_cover = 1 book.has_cover = 1

4
cps/templates/book_edit.html
View File

@ -92,6 +92,8 @@
<label for="rating">{{_('Rating')}}</label> <label for="rating">{{_('Rating')}}</label>
<input type="number" name="rating" id="rating" class="rating input-lg" data-clearable="" value="{% if book.ratings %}{{(book.ratings[0].rating / 2)|int}}{% endif %}"> <input type="number" name="rating" id="rating" class="rating input-lg" data-clearable="" value="{% if book.ratings %}{{(book.ratings[0].rating / 2)|int}}{% endif %}">
</div> </div>
{% if g.user.role_upload() or g.user.role_admin()%}
{% if g.allow_upload %}
<div class="form-group"> <div class="form-group">
<label for="cover_url">{{_('Fetch Cover from URL (JPEG - Image will be downloaded and stored in database)')}}</label> <label for="cover_url">{{_('Fetch Cover from URL (JPEG - Image will be downloaded and stored in database)')}}</label>
<input type="text" class="form-control" name="cover_url" id="cover_url" value=""> <input type="text" class="form-control" name="cover_url" id="cover_url" value="">
@ -101,6 +103,8 @@
<div class="upload-cover-input-text" id="upload-cover"></div> <div class="upload-cover-input-text" id="upload-cover"></div>
<input id="btn-upload-cover" name="btn-upload-cover" type="file" accept=".jpg, .jpeg, .png, .webp"> <input id="btn-upload-cover" name="btn-upload-cover" type="file" accept=".jpg, .jpeg, .png, .webp">
</div> </div>
{% endif %}
{% endif %}
<div class="form-group"> <div class="form-group">
<label for="pubdate">{{_('Published Date')}}</label> <label for="pubdate">{{_('Published Date')}}</label>
<div style="position: relative"> <div style="position: relative">