direct links

2018-01-25 21:56:03 +02:00
parent db3ee2abfd
commit 938f688693
3 changed files with 48 additions and 16 deletions
--- a/code/app.py
+++ b/code/app.py
@@ -93,7 +93,13 @@ def list_view(name, password = None):
        return share
    files = []
    for file in sorted(os.listdir(share['path'])):
-        files.append(file_stat(os.path.join(share['path'],file)))
+        status = file_stat(os.path.join(share['path'],file))
+        status.update({
+            'token': get_direct_token(share, file)
+        })
+        files.append(status)
+    # direct share links not allowed if password isnt set
+    allow_direct = get_or_none(share,'direct_links') if get_or_none(share,'pass_hash') else False
    return render_template(
        "list.html",
        name = share['name'],
@@ -102,7 +108,7 @@ def list_view(name, password = None):
        public = get_or_none(share,'public'),
        upload = get_or_none(share,'upload'),
        overwrite = get_or_none(share,'overwrite'),
-        direct = get_or_none(share,'direct_links'),
+        direct = allow_direct,
        expire = get_or_none(share,'expire')
    )

@@ -115,12 +121,27 @@ def logout(name, password = None):
        name = name
    )

+@app.route('/direct/<name>/<password>/<filename>', methods=['GET'])
+def download_direct(name,password,filename):
+    if password != None:
+        session[name] = password
+    (ok,share) = get_share(name, require_auth = False)
+    if not ok:
+        return share
+    token = get_direct_token(share, filename)
+    if token == None:
+        return 'Cannot generate token', 400
+    if password != token:
+        return 'Incorrect token', 403
+    file_path = os.path.join(share['path'], filename)
+    if not os.path.exists(file_path):
+        return 'no such file', 404
+    return send_from_directory(directory=share['path'], filename=filename)
+

@app.route('/download/<name>/<password>/<filename>', methods=['GET'])
@app.route('/download/<name>/<filename>', methods=['GET'])
 def download_file(name,filename,password = None):
-    if password != None:
-        session[name] = password
    (ok,share) = get_share(name)
    if not ok:
        return share
@@ -151,6 +172,12 @@ def file_date_human(num):
    ).strftime(app.config['DATE_FORMAT'])


+def get_direct_token(share, filename):
+    if not 'pass_hash' in share:
+        return None
+    return hashlib.sha1(
+        share['pass_hash'].encode('utf-8') + filename.encode('utf-8')
+    ).hexdigest()


 def get_or_none(d,key):
@@ -159,7 +186,8 @@ def get_or_none(d,key):
    else:
        return None

-def get_share(name):
+
+def get_share(name, require_auth = True):
    share = [x for x in g.shares if x['name'] == name]
    if len(share) < 1:
        return (False,'No such share')
@@ -167,16 +195,18 @@ def get_share(name):
    if is_expired(share):
        return (False, 'Share has expired')
    authenticated = True
-    if 'pass_hash' in share:
-        authenticated = False
-        if name in session:
-            if session[name] == share['pass_hash']:
-                authenticated = True
-    if 'pass_plain' in share:
-        authenticated = False
-        if name in session:
-            if session[name] == hashlib.sha1(share['pass_plain'].encode('utf-8')).hexdigest():
-                authenticated = True
+    if require_auth:
+        if 'pass_plain' in share:
+            authenticated = False
+            if name in session:
+                if session[name] == hashlib.sha1(share['pass_plain'].encode('utf-8')).hexdigest():
+                    authenticated = True
+        if 'pass_hash' in share:
+            authenticated = False
+            if name in session:
+                if session[name] == share['pass_hash']:
+                    authenticated = True
+
    if not authenticated:
        return (False,redirect(url_for('authenticate',name=name)))
    if not 'path' in share: