From 7889b8488d9b1341f685bb75def6bf61dd5a8b49 Mon Sep 17 00:00:00 2001
From: Henrique Dias <hacdias@gmail.com>
Date: Fri, 14 Jul 2017 07:51:32 +0100
Subject: [PATCH] Add User Permission check

---
 filemanager.go |  7 ++++---
 resource.go    | 14 +++++++++++++-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/filemanager.go b/filemanager.go
index 5b8cd82f..dff16bc2 100644
--- a/filemanager.go
+++ b/filemanager.go
@@ -81,9 +81,10 @@ type User struct {
 	CSS string `json:"css"`
 
 	// These indicate if the user can perform certain actions.
-	AllowNew      bool `json:"allowNew"`      // Create files and folders
-	AllowEdit     bool `json:"allowEdit"`     // Edit/rename files
-	AllowCommands bool `json:"allowCommands"` // Execute commands
+	AllowNew      bool            `json:"allowNew"`      // Create files and folders
+	AllowEdit     bool            `json:"allowEdit"`     // Edit/rename files
+	AllowCommands bool            `json:"allowCommands"` // Execute commands
+	Permissions   map[string]bool `json:"permissions"`   // Permissions added by plugins
 
 	// Commands is the list of commands the user can execute.
 	Commands []string `json:"commands"`
diff --git a/resource.go b/resource.go
index 615b12db..d852024a 100644
--- a/resource.go
+++ b/resource.go
@@ -116,7 +116,7 @@ func listingHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (
 
 func resourceDeleteHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
 	// Prevent the removal of the root directory.
-	if r.URL.Path == "/" {
+	if r.URL.Path == "/" || !c.User.AllowEdit {
 		return http.StatusForbidden, nil
 	}
 
@@ -130,6 +130,14 @@ func resourceDeleteHandler(c *RequestContext, w http.ResponseWriter, r *http.Req
 }
 
 func resourcePostPutHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
+	if !c.User.AllowNew && r.Method == http.MethodPost {
+		return http.StatusForbidden, nil
+	}
+
+	if !c.User.AllowEdit && r.Method == http.MethodPut {
+		return http.StatusForbidden, nil
+	}
+
 	// Checks if the current request is for a directory and not a file.
 	if strings.HasSuffix(r.URL.Path, "/") {
 		// If the method is PUT, we return 405 Method not Allowed, because
@@ -179,6 +187,10 @@ func resourcePostPutHandler(c *RequestContext, w http.ResponseWriter, r *http.Re
 }
 
 func resourcePatchHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
+	if !c.User.AllowEdit {
+		return http.StatusForbidden, nil
+	}
+
 	dst := r.Header.Get("Destination")
 	dst, err := url.QueryUnescape(dst)
 	if err != nil {