Always match full username/collection with regex
It's easy to forget $ at the end of a regex and it's counter-intuitive that ^ is implicit but $ is not.
This commit is contained in:
Unrud
@@ -66,7 +66,7 @@ permission:rw
|
|||||||
"owner_write": """
|
"owner_write": """
|
||||||
[w]
|
[w]
|
||||||
user:.+
|
user:.+
|
||||||
collection:^%(login)s(/.*)?$
|
collection:%(login)s(/.*)?
|
||||||
permission:rw
|
permission:rw
|
||||||
[r]
|
[r]
|
||||||
user:.+
|
user:.+
|
||||||
@@ -76,7 +76,7 @@ permission:r
|
|||||||
"owner_only": """
|
"owner_only": """
|
||||||
[rw]
|
[rw]
|
||||||
user:.+
|
user:.+
|
||||||
collection:^%(login)s(/.*)?$
|
collection:%(login)s(/.*)?
|
||||||
permission:rw
|
permission:rw
|
||||||
"""}
|
"""}
|
||||||
|
|
||||||
@@ -127,10 +127,10 @@ class Rights(BaseRights):
|
|||||||
self.logger.debug(
|
self.logger.debug(
|
||||||
"Test if '%s:%s' matches against '%s:%s' from section '%s'" % (
|
"Test if '%s:%s' matches against '%s:%s' from section '%s'" % (
|
||||||
user, collection_url, re_user, re_collection, section))
|
user, collection_url, re_user, re_collection, section))
|
||||||
user_match = re.match(re_user, user)
|
user_match = re.fullmatch(re_user, user)
|
||||||
if user_match:
|
if user_match:
|
||||||
re_collection = re_collection.format(*user_match.groups())
|
re_collection = re_collection.format(*user_match.groups())
|
||||||
if re.match(re_collection, collection_url):
|
if re.fullmatch(re_collection, collection_url):
|
||||||
self.logger.debug("Section '%s' matches" % section)
|
self.logger.debug("Section '%s' matches" % section)
|
||||||
return permission in regex.get(section, "permission")
|
return permission in regex.get(section, "permission")
|
||||||
else:
|
else:
|
||||||
|
|||||||
10
rights
10
rights
@@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
# This means all users starting with "admin" may read any collection
|
# This means all users starting with "admin" may read any collection
|
||||||
[admin]
|
[admin]
|
||||||
user: ^admin.*$
|
user: admin.*
|
||||||
collection: .*
|
collection: .*
|
||||||
permission: r
|
permission: r
|
||||||
|
|
||||||
@@ -22,14 +22,14 @@ permission: r
|
|||||||
# We do so by just not testing against the user string.
|
# We do so by just not testing against the user string.
|
||||||
[public]
|
[public]
|
||||||
user: .*
|
user: .*
|
||||||
collection: ^public(/.+)?$
|
collection: public(/.+)?
|
||||||
permission: rw
|
permission: rw
|
||||||
|
|
||||||
# A little more complex: give read access to users from a domain for all
|
# A little more complex: give read access to users from a domain for all
|
||||||
# collections of all the users (ie. user@domain.tld can read domain/*).
|
# collections of all the users (ie. user@domain.tld can read domain/*).
|
||||||
[domain-wide-access]
|
[domain-wide-access]
|
||||||
user: ^.+@(.+)\..+$
|
user: .+@(.+)\..+
|
||||||
collection: ^{0}/.+$
|
collection: {0}/.+
|
||||||
permission: r
|
permission: r
|
||||||
|
|
||||||
# Allow authenticated user to read all collections
|
# Allow authenticated user to read all collections
|
||||||
@@ -41,5 +41,5 @@ permission: r
|
|||||||
# Give write access to owners
|
# Give write access to owners
|
||||||
[owner-write]
|
[owner-write]
|
||||||
user: .+
|
user: .+
|
||||||
collection: ^%(login)s/.*$
|
collection: %(login)s/.*
|
||||||
permission: w
|
permission: w
|
||||||
|
|||||||
Reference in New Issue
Block a user