Don't leak existing user in owner_only rights plugin
If a user didn't exist the error message for the principal collection was 404.
This commit is contained in:
parent
5669433f58
commit
ded660df07
@ -116,6 +116,12 @@ class OwnerOnlyRights(BaseRights):
|
|||||||
permission == "r" and not sane_path or
|
permission == "r" and not sane_path or
|
||||||
user == sane_path.split("/", maxsplit=1)[0])
|
user == sane_path.split("/", maxsplit=1)[0])
|
||||||
|
|
||||||
|
def authorized_item(self, user, path, permission):
|
||||||
|
sane_path = storage.sanitize_path(path).strip("/")
|
||||||
|
if "/" not in sane_path:
|
||||||
|
return False
|
||||||
|
return super().authorized_item(user, path, permission)
|
||||||
|
|
||||||
|
|
||||||
class Rights(BaseRights):
|
class Rights(BaseRights):
|
||||||
def __init__(self, configuration, logger):
|
def __init__(self, configuration, logger):
|
||||||
|
Loading…
Reference in New Issue
Block a user