Various lockdown fixes (#58)

RamZallan · web-flow · commit 00d1aa740593 · 2019-10-09T15:38:42.000-04:00
* Add .swp files to gitignore

* Display more helpful lockdown page, move more routes behind lockdown
diff --git a/.gitignore b/.gitignore
@@ -97,3 +97,6 @@ data.db
 
 # mypy
 .mypy_cache
+
+# vim swap files
+*.swp
diff --git a/gallery/__init__.py b/gallery/__init__.py
@@ -247,6 +247,9 @@ def view_mkdir(auth_dict: Optional[Dict[str, Any]] = None):
 @auth.oidc_auth('default')
 @gallery_auth
 def view_jumpdir(auth_dict: Optional[Dict[str, Any]] = None):
+    gallery_lockdown = util.get_lockdown_status()
+    if gallery_lockdown and (not auth_dict['is_eboard'] and not auth_dict['is_rtp']):
+        abort(405)
     return render_template("jumpdir.html",
                            auth_dict=auth_dict)
 
@@ -733,7 +736,12 @@ def tag_file(file_id: int):
 
 @app.route("/api/file/get/<int:file_id>")
 @auth.oidc_auth('default')
-def display_file(file_id: int):
+@gallery_auth
+def display_file(file_id: int, auth_dict: Optional[Dict[str, Any]] = None):
+    gallery_lockdown = util.get_lockdown_status()
+    if gallery_lockdown and (not auth_dict['is_eboard'] and not auth_dict['is_rtp']):
+        abort(405)
+
     file_model = File.query.filter(File.id == file_id).first()
 
     if file_model is None:
@@ -745,7 +753,12 @@ def display_file(file_id: int):
 
 @app.route("/api/thumbnail/get/<int:file_id>")
 @auth.oidc_auth('default')
-def display_thumbnail(file_id: int):
+@gallery_auth
+def display_thumbnail(file_id: int, auth_dict: Optional[Dict[str, Any]] = None):
+    gallery_lockdown = util.get_lockdown_status()
+    if gallery_lockdown and (not auth_dict['is_eboard'] and not auth_dict['is_rtp']):
+        abort(405)
+
     file_model = File.query.filter(File.id == file_id).first()
 
     link = storage_interface.get_link("thumbnails/{}".format(file_model.s3_id))
@@ -754,7 +767,12 @@ def display_thumbnail(file_id: int):
 
 @app.route("/api/thumbnail/get/dir/<int:dir_id>")
 @auth.oidc_auth('default')
-def display_dir_thumbnail(dir_id: int):
+@gallery_auth
+def display_dir_thumbnail(dir_id: int, auth_dict: Optional[Dict[str, Any]] = None):
+    gallery_lockdown = util.get_lockdown_status()
+    if gallery_lockdown and (not auth_dict['is_eboard'] and not auth_dict['is_rtp']):
+        abort(405)
+
     dir_model = Directory.query.filter(Directory.id == dir_id).first()
 
     thumbnail_uuid = dir_model.thumbnail_uuid
@@ -810,7 +828,11 @@ def get_supported_mimetypes():
 
 @app.route("/api/get_dir_tree")
 @auth.oidc_auth('default')
-def get_dir_tree(internal: bool = False):
+@gallery_auth
+def get_dir_tree(internal: bool = False, auth_dict: Optional[Dict[str, Any]] = None):
+    gallery_lockdown = util.get_lockdown_status()
+    if gallery_lockdown and (not auth_dict['is_eboard'] and not auth_dict['is_rtp']):
+        abort(405)
 
     # TODO: Convert to iterative tree traversal using a queue to avoid
     # recursion issues with large directory structures
@@ -843,7 +865,12 @@ def get_dir_children(dir_id: int) -> Any:
 
 @app.route("/api/directory/get/<int:dir_id>")
 @auth.oidc_auth('default')
-def display_files(dir_id: int, internal: bool = False):
+@gallery_auth
+def display_files(dir_id: int, internal: bool = False, auth_dict: Optional[Dict[str, Any]] = None):
+    gallery_lockdown = util.get_lockdown_status()
+    if gallery_lockdown and (not auth_dict['is_eboard'] and not auth_dict['is_rtp']):
+        abort(405)
+
     file_list = [("File", f) for f in File.query.filter(File.parent == dir_id).all()]
     dir_list = [("Directory", d) for d in Directory.query.filter(Directory.parent == dir_id).all()]
 
@@ -995,7 +1022,12 @@ def view_filtered(auth_dict: Optional[Dict[str, Any]] = None):
 
 @app.route("/api/memberlist")
 @auth.oidc_auth('default')
-def get_member_list():
+@gallery_auth
+def get_member_list(auth_dict: Optional[Dict[str, Any]] = None):
+    gallery_lockdown = util.get_lockdown_status()
+    if gallery_lockdown and (not auth_dict['is_eboard'] and not auth_dict['is_rtp']):
+        abort(405)
+
     return jsonify(ldap.get_members())
 
 
@@ -1014,7 +1046,7 @@ def route_errors(error: Any, auth_dict: Optional[Dict[str, Any]] = None):
     if code == 404:
         error_desc = "Page Not Found"
     elif code == 405:
-        error_desc = "Page Not Available"
+        error_desc = "Gallery is currently unavailable"
     else:
         error_desc = type(error).__name__
 
diff --git a/gallery/static/images/material_lock.svg b/gallery/static/images/material_lock.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><g fill="none"><path d="M0 0h24v24H0V0z"/><path opacity=".87" d="M0 0h24v24H0V0z"/></g><path d="M18 8h-1V6c0-2.76-2.24-5-5-5S7 3.24 7 6v2H6c-1.1 0-2 .9-2 2v10c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V10c0-1.1-.9-2-2-2zm-6 9c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2zM9 8V6c0-1.66 1.34-3 3-3s3 1.34 3 3v2H9z" fill="#C1C1C1"/></svg>
diff --git a/gallery/templates/errors.html b/gallery/templates/errors.html
@@ -6,10 +6,15 @@
 {% block body %}
 <div class="container error-page align-center">
     <div class="col-xs-12">
-        <img src="/static/images/material_attention.svg" alt="Attention!">
-        <h1>Oops!</h1>
-        <h2>Something has gone terribly wrong!</h2>
-        <h3>{{ error }}</h3>
+        {% if error_code == 405 %}
+            <img src="/static/images/material_lock.svg" alt="Locked" />
+            <h1>{{ error }}</h1>
+        {% else %}
+            <img src="/static/images/material_attention.svg" alt="Attention" />
+            <h1>Oops!</h1>
+            <h2>Something has gone terribly wrong!</h2>
+            <h3>{{ error }}</h3>
+        {% endif %}
     </div>
 </div>
 {% endblock %}
