marcel/linkding
1
0
Fork 0
mirror of https://github.com/sissbruecker/linkding.git synced 2025-08-07 18:58:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

Extract access checks

Browse Source
This commit is contained in:
Sascha Ißbrücker
2025-03-09 12:21:22 +01:00
parent 1a1092d03a
commit 6ab6a031c7
7 changed files with 101 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
bookmarks/api/routes.py
View File

@@ -20,6 +20,7 @@ from bookmarks.api.serializers import (
from bookmarks.models import Bookmark, BookmarkAsset, BookmarkSearch, Tag, User
from bookmarks.services import assets, bookmarks, auto_tagging, website_loader
from bookmarks.type_defs import HttpRequest
from bookmarks.views import access
logger = logging.getLogger(__name__)
@@ -169,11 +170,10 @@ class BookmarkAssetViewSet(
def get_queryset(self):
user = self.request.user
bookmark_id = self.kwargs["bookmark_id"]
if not Bookmark.objects.filter(id=bookmark_id, owner=user).exists():
raise Http404("Bookmark does not exist")
# limit access to assets to the owner of the bookmark for now
bookmark = access.bookmark_write(self.request, self.kwargs["bookmark_id"])
return BookmarkAsset.objects.filter(
bookmark_id=bookmark_id, bookmark__owner=user
bookmark_id=bookmark.id, bookmark__owner=user
)
def get_serializer_context(self):
@@ -214,9 +214,7 @@ class BookmarkAssetViewSet(
{"error": "Asset upload is disabled."},
status=status.HTTP_403_FORBIDDEN,
)
bookmark = Bookmark.objects.filter(id=bookmark_id, owner=request.user).first()
if not bookmark:
raise Http404("Bookmark does not exist")
bookmark = access.bookmark_write(request, bookmark_id)
upload_file = request.FILES.get("file")
if not upload_file: