mirror of
https://github.com/filebrowser/filebrowser.git
synced 2024-06-07 23:00:43 +00:00
updates
This commit is contained in:
Henrique Dias
parent
53927dab00
commit
a2a078d06e
@ -1,10 +1,7 @@
|
||||
'use strict';
|
||||
|
||||
// TODO: way to get the webdav url
|
||||
|
||||
var tempID = "_fm_internal_temporary_id"
|
||||
var selectedItems = [];
|
||||
var token = "";
|
||||
|
||||
/* * * * * * * * * * * * * * * *
|
||||
* *
|
||||
@ -123,7 +120,7 @@ var deleteEvent = function(event) {
|
||||
let request = new XMLHttpRequest();
|
||||
|
||||
request.open('DELETE', toWebDavURL(link));
|
||||
request.setRequestHeader('Token', token);
|
||||
|
||||
request.send();
|
||||
request.onreadystatechange = function() {
|
||||
if (request.readyState == 4) {
|
||||
@ -158,11 +155,6 @@ var RemoveLastDirectoryPartOf = function(url) {
|
||||
return (arr.join('/'));
|
||||
}
|
||||
|
||||
// Get the current token
|
||||
var updateToken = function() {
|
||||
token = document.getElementById("token").innerHTML;
|
||||
}
|
||||
|
||||
/* * * * * * * * * * * * * * * *
|
||||
* *
|
||||
* LISTING SPECIFIC FUNCTIONS *
|
||||
@ -173,7 +165,6 @@ var reloadListing = function(callback) {
|
||||
let request = new XMLHttpRequest();
|
||||
request.open('GET', window.location);
|
||||
request.setRequestHeader('Minimal', 'true');
|
||||
request.setRequestHeader('Token', token);
|
||||
request.send();
|
||||
request.onreadystatechange = function() {
|
||||
if (request.readyState == 4) {
|
||||
@ -189,8 +180,6 @@ var reloadListing = function(callback) {
|
||||
link.addEventListener('click', itemClickEvent);
|
||||
});
|
||||
|
||||
updateToken();
|
||||
|
||||
if (typeof callback == 'function') {
|
||||
callback();
|
||||
}
|
||||
@ -229,7 +218,7 @@ var renameEvent = function(event) {
|
||||
let request = new XMLHttpRequest();
|
||||
request.open('MOVE', toWebDavURL(link));
|
||||
request.setRequestHeader('Destination', newLink);
|
||||
request.setRequestHeader('Token', token);
|
||||
|
||||
request.send();
|
||||
request.onreadystatechange = function() {
|
||||
// TODO: redirect if it's moved to another folder
|
||||
@ -289,7 +278,7 @@ var handleFiles = function(files) {
|
||||
for (let i = 0; i < files.length; i++) {
|
||||
let request = new XMLHttpRequest();
|
||||
request.open('PUT', toWebDavURL(window.location.pathname + files[i].name));
|
||||
request.setRequestHeader('Token', token);
|
||||
|
||||
request.send(files[i]);
|
||||
request.onreadystatechange = function() {
|
||||
if (request.readyState == 4) {
|
||||
@ -416,7 +405,7 @@ var newDirEvent = function(event) {
|
||||
let name = document.getElementById('newdir').value;
|
||||
|
||||
request.open((name.endsWith("/") ? "MKCOL" : "PUT"), toWebDavURL(window.location.pathname + name));
|
||||
request.setRequestHeader('Token', token);
|
||||
|
||||
request.send();
|
||||
request.onreadystatechange = function() {
|
||||
if (request.readyState == 4) {
|
||||
@ -543,7 +532,8 @@ document.addEventListener('listing', event => {
|
||||
});
|
||||
|
||||
if (user.AllowCommands) {
|
||||
let hover = false, focus = false;
|
||||
let hover = false,
|
||||
focus = false;
|
||||
|
||||
document.querySelector('#search input').addEventListener('focus', event => {
|
||||
focus = true;
|
||||
@ -840,7 +830,7 @@ document.addEventListener("editor", (event) => {
|
||||
let request = new XMLHttpRequest();
|
||||
request.open("PUT", toWebDavURL(window.location.pathname));
|
||||
request.setRequestHeader('Kind', kind);
|
||||
request.setRequestHeader('Token', token);
|
||||
|
||||
request.send(JSON.stringify(data));
|
||||
request.onreadystatechange = function() {
|
||||
if (request.readyState == 4) {
|
||||
@ -887,9 +877,6 @@ document.addEventListener("DOMContentLoaded", function(event) {
|
||||
}
|
||||
});
|
||||
|
||||
// Updates the token
|
||||
updateToken();
|
||||
|
||||
// Enables open, delete and download buttons
|
||||
document.getElementById("open").addEventListener("click", openEvent);
|
||||
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
<head>
|
||||
<title>{{.Name}}</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<meta name="token" content="{{ .Token }}">
|
||||
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
|
||||
<link href='https://fonts.googleapis.com/css?family=Roboto:400,500' rel='stylesheet' type='text/css'>
|
||||
<link rel="stylesheet" href="{{ .Config.AbsoluteURL }}/_filemanagerinternal/css/styles.css">
|
||||
@ -104,8 +105,8 @@
|
||||
{{ end }}
|
||||
|
||||
<main>
|
||||
|
||||
{{ template "content" . }}
|
||||
<span id="token">{{ .Config.Token }}</span>
|
||||
</main>
|
||||
|
||||
<footer>
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"time"
|
||||
)
|
||||
|
||||
const (
|
||||
tokenSize = 80
|
||||
letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
|
||||
letterIdxBits = 6 // 6 bits to represent a letter index
|
||||
letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
|
||||
letterIdxMax = 63 / letterIdxBits // # of letter indices fitting in 63 bits
|
||||
)
|
||||
|
||||
// CheckToken checs if current token is the same as the one used in the request
|
||||
func (c Config) CheckToken(r *http.Request) bool {
|
||||
token := r.Header.Get("Token")
|
||||
return c.Token == token
|
||||
}
|
||||
|
||||
// GenerateToken geneerates a new token
|
||||
func (c *Config) GenerateToken() {
|
||||
src := rand.NewSource(time.Now().UnixNano())
|
||||
b := make([]byte, tokenSize)
|
||||
// A src.Int63() generates 63 random bits, enough for letterIdxMax characters!
|
||||
// future reference: http://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-golang
|
||||
for i, cache, remain := tokenSize-1, src.Int63(), letterIdxMax; i >= 0; {
|
||||
if remain == 0 {
|
||||
cache, remain = src.Int63(), letterIdxMax
|
||||
}
|
||||
if idx := int(cache & letterIdxMask); idx < len(letterBytes) {
|
||||
b[i] = letterBytes[idx]
|
||||
i--
|
||||
}
|
||||
cache >>= letterIdxBits
|
||||
remain--
|
||||
}
|
||||
|
||||
c.Token = string(b)
|
||||
}
|
||||
@ -71,18 +71,8 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
|
||||
return handlers.Command(w, r, c, user)
|
||||
}
|
||||
|
||||
// TODO: This anti CSCF measure is not being applied to requests
|
||||
// to the WebDav URL namespace. Anyone has ideas?
|
||||
// if !c.CheckToken(r) {
|
||||
// return http.StatusForbidden, nil
|
||||
// }
|
||||
|
||||
// Checks if the request URL is for the WebDav server
|
||||
if strings.HasPrefix(r.URL.Path, c.WebDavURL) {
|
||||
// if !c.CheckToken(r) {
|
||||
// return http.StatusForbidden, nil
|
||||
// }
|
||||
|
||||
// Checks for user permissions relatively to this PATH
|
||||
if !user.Allowed(strings.TrimPrefix(r.URL.Path, c.WebDavURL)) {
|
||||
return http.StatusForbidden, nil
|
||||
@ -123,19 +113,6 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
|
||||
}
|
||||
|
||||
if r.Method == http.MethodGet {
|
||||
// Generate anti security token.
|
||||
/* c.GenerateToken()
|
||||
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "token",
|
||||
Value: c.Token,
|
||||
Path: "/",
|
||||
HttpOnly: true,
|
||||
})
|
||||
|
||||
co, err := r.Cookie("token")
|
||||
fmt.Println(co.Value) */
|
||||
|
||||
// Gets the information of the directory/file
|
||||
fi, code, err = file.GetInfo(r.URL, c, user)
|
||||
if err != nil {
|
||||
|
||||
@ -28,6 +28,7 @@ type Info struct {
|
||||
User *config.User
|
||||
Config *config.Config
|
||||
Data interface{}
|
||||
Token string
|
||||
}
|
||||
|
||||
// BreadcrumbMap returns p.Path where every element is a map
|
||||
|
||||
Loading…
Reference in New Issue
Block a user