X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/572e375e1c950f35d7e159bac031de5205354590..0ca2d1f043dff99aa5f57a4336ea3a924e87e78b:/services/keep-web/handler.go?ds=sidebyside diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index 6d0b7669e3..97ec95e3aa 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -487,13 +487,14 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // Check configured permission _, sess, err := h.Config.Cache.GetSession(arv.ApiToken) tokenUser, err = h.Config.Cache.GetTokenUser(arv.ApiToken) - if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { - http.Error(w, "Not permitted", http.StatusForbidden) - return - } - h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) if webdavMethod[r.Method] { + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { + http.Error(w, "Not permitted", http.StatusForbidden) + return + } + h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) + if writeMethod[r.Method] { // Save the collection only if/when all // webdav->filesystem operations succeed -- @@ -548,6 +549,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } else if stat.IsDir() { h.serveDirectory(w, r, collection.Name, fs, openPath, true) } else { + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { + http.Error(w, "Not permitted", http.StatusForbidden) + return + } + h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) + http.ServeContent(w, r, basename, stat.ModTime(), f) if wrote := int64(w.WroteBodyBytes()); wrote != stat.Size() && w.WroteStatus() == http.StatusOK { // If we wrote fewer bytes than expected, it's @@ -857,12 +864,9 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc } func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool { - if tokenUser == nil { - return false - } var permitDownload bool var permitUpload bool - if tokenUser.IsAdmin { + if tokenUser != nil && tokenUser.IsAdmin { permitUpload = h.Config.cluster.Collections.WebDAVPermission.Admin.Upload permitDownload = h.Config.cluster.Collections.WebDAVPermission.Admin.Download } else { @@ -893,9 +897,13 @@ func (h *handler) logUploadOrDownload( log := ctxlog.FromContext(r.Context()) props := make(map[string]string) props["reqPath"] = r.URL.Path + var useruuid string if user != nil { log = log.WithField("user_uuid", user.UUID). WithField("user_full_name", user.FullName) + useruuid = user.UUID + } else { + useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Config.cluster.ClusterID) } if collection == nil && fs != nil { collection, filepath = h.determineCollection(fs, filepath) @@ -911,7 +919,7 @@ func (h *handler) logUploadOrDownload( if h.Config.cluster.Collections.WebDAVLogEvents { go func() { lr := arvadosclient.Dict{"log": arvadosclient.Dict{ - "object_uuid": user.UUID, + "object_uuid": useruuid, "event_type": "file_upload", "properties": props}} err := client.Create("logs", lr, nil) @@ -929,7 +937,7 @@ func (h *handler) logUploadOrDownload( if h.Config.cluster.Collections.WebDAVLogEvents { go func() { lr := arvadosclient.Dict{"log": arvadosclient.Dict{ - "object_uuid": user.UUID, + "object_uuid": useruuid, "event_type": "file_download", "properties": props}} err := client.Create("logs", lr, nil)