From 150764a4cde1cc9e4190dd42ac4c1b2ce99c1dcf Mon Sep 17 00:00:00 2001 From: Usman Nasir Date: Sat, 20 Jun 2020 22:44:55 +0500 Subject: [PATCH] add security checks for gdrive --- backup/backupManager.py | 37 ++++++++++++++++++++++++++++++++++--- plogical/acl.py | 16 ++++++++++++++++ 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/backup/backupManager.py b/backup/backupManager.py index 4cd618be4..94ae8c45b 100755 --- a/backup/backupManager.py +++ b/backup/backupManager.py @@ -60,7 +60,7 @@ class BackupManager: admin = Administrator.objects.get(pk=userID) - if ACLManager.currentContextPermission(currentACL, 'addDeleteDestinations') == 0: + if ACLManager.currentContextPermission(currentACL, 'createBackup') == 0: return ACLManager.loadError() gDriveAcctsList = [] @@ -81,7 +81,7 @@ class BackupManager: currentACL = ACLManager.loadedACL(userID) admin = Administrator.objects.get(pk=userID) - if ACLManager.currentContextPermission(currentACL, 'addDeleteDestinations') == 0: + if ACLManager.currentContextPermission(currentACL, 'createBackup') == 0: return ACLManager.loadError() gDriveData = {} @@ -114,6 +114,11 @@ class BackupManager: gD = GDrive.objects.get(name=selectedAccount) + if ACLManager.checkGDriveOwnership(gD, admin, currentACL) == 1: + pass + else: + return ACLManager.loadErrorJson('status', 0) + logs = gD.gdrivejoblogs_set.all().order_by('-id') from s3Backups.s3Backups import S3Backups @@ -150,7 +155,6 @@ class BackupManager: json_data = json_data + ']' - data_ret = {'status': 1, 'logs': json_data, 'pagination': pagination} json_data = json.dumps(data_ret) return HttpResponse(json_data) @@ -176,6 +180,11 @@ class BackupManager: gD = GDrive.objects.get(name=selectedAccount) + if ACLManager.checkGDriveOwnership(gD, admin, currentACL) == 1: + pass + else: + return ACLManager.loadErrorJson('status', 0) + websites = gD.gdrivesites_set.all() from s3Backups.s3Backups import S3Backups @@ -232,6 +241,11 @@ class BackupManager: gD = GDrive.objects.get(name=selectedAccount) + if ACLManager.checkGDriveOwnership(gD, admin, currentACL) == 1 and ACLManager.checkOwnership(selectedWebsite, admin, currentACL) == 1: + pass + else: + return ACLManager.loadErrorJson('status', 0) + gdSite = GDriveSites(owner=gD, domain=selectedWebsite) gdSite.save() @@ -257,6 +271,11 @@ class BackupManager: gD = GDrive.objects.get(name=selectedAccount) + if ACLManager.checkGDriveOwnership(gD, admin, currentACL): + pass + else: + return ACLManager.loadErrorJson('status', 0) + gD.delete() data_ret = {'status': 1} @@ -281,6 +300,12 @@ class BackupManager: backupFrequency = data['backupFrequency'] gD = GDrive.objects.get(name=selectedAccount) + + if ACLManager.checkGDriveOwnership(gD, admin, currentACL): + pass + else: + return ACLManager.loadErrorJson('status', 0) + gD.runTime = backupFrequency gD.save() @@ -307,6 +332,12 @@ class BackupManager: website = data['website'] gD = GDrive.objects.get(name=selectedAccount) + + if ACLManager.checkGDriveOwnership(gD, admin, currentACL) == 1 and ACLManager.checkOwnership(website, admin, currentACL) == 1: + pass + else: + return ACLManager.loadErrorJson('status', 0) + sites = GDriveSites.objects.filter(owner=gD, domain=website) for items in sites: diff --git a/plogical/acl.py b/plogical/acl.py index e3ae1f63f..7efbad6c7 100755 --- a/plogical/acl.py +++ b/plogical/acl.py @@ -562,6 +562,22 @@ class ACLManager: else: return 0 + @staticmethod + def checkGDriveOwnership(gD, admin, currentACL): + + try: + if currentACL['admin'] == 1: + return 1 + elif gD.owner == admin: + return 1 + elif gD.owner.owner == admin.pk: + return 1 + + return 0 + except: + return 0 + + @staticmethod def checkOwnershipZone(domain, admin, currentACL): domain = Websites.objects.get(domain=domain)