Don't leak existing user in owner_only rights plugin
If a user didn't exist the error message for the principal collection was 404.
This commit is contained in:
parent
5669433f58
commit
ded660df07
@ -116,6 +116,12 @@ class OwnerOnlyRights(BaseRights):
|
||||
permission == "r" and not sane_path or
|
||||
user == sane_path.split("/", maxsplit=1)[0])
|
||||
|
||||
def authorized_item(self, user, path, permission):
|
||||
sane_path = storage.sanitize_path(path).strip("/")
|
||||
if "/" not in sane_path:
|
||||
return False
|
||||
return super().authorized_item(user, path, permission)
|
||||
|
||||
|
||||
class Rights(BaseRights):
|
||||
def __init__(self, configuration, logger):
|
||||
|
Loading…
Reference in New Issue
Block a user