[ARVADOS] updated: 2.1.0-902-geb9fa033e

Thu Jun 17 20:48:08 UTC 2021

Summary of changes:
 .../restricting-upload-download.html.textile.liquid     |  2 +-
 services/keep-web/handler.go                            | 17 ++++++++++++-----
 2 files changed, 13 insertions(+), 6 deletions(-)

       via  eb9fa033e0d19a2459041f296e3286639ad4d1ff (commit)
      from  d7fb2ac79d28575f074626b92fb91d7b9fdc0ca2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit eb9fa033e0d19a2459041f296e3286639ad4d1ff
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Thu Jun 17 16:47:33 2021 -0400

    17464: Don't deny or log GET on directories.
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/admin/restricting-upload-download.html.textile.liquid b/doc/admin/restricting-upload-download.html.textile.liquid
index 45bcd8a07..6983e413f 100644
--- a/doc/admin/restricting-upload-download.html.textile.liquid
+++ b/doc/admin/restricting-upload-download.html.textile.liquid
@@ -39,7 +39,7 @@ Permitting @WebDAV@ makes it possible to use WebDAV, S3 API, download from Workb
 
 When a user attempts to upload or download from a service without permission, they will receive a @403 Forbidden@ response.  This only applies to file content.
 
-Denying download permission does not deny access to access to XML file listings with PROPFIND.  As a side effect it does deny auto-generated HTML documents that have file listings.
+Denying download permission does not deny access to access to XML file listings with PROPFIND, or auto-generated HTML documents containing file listings.
 
 Denying upload permission does not deny other operations that modify collections without directly accessing file content, such as MOVE and COPY.
 
diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 6d0b7669e..6f6ff542b 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -487,13 +487,14 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	// Check configured permission
 	_, sess, err := h.Config.Cache.GetSession(arv.ApiToken)
 	tokenUser, err = h.Config.Cache.GetTokenUser(arv.ApiToken)
-	if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
-		http.Error(w, "Not permitted", http.StatusForbidden)
-		return
-	}
-	h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
 
 	if webdavMethod[r.Method] {
+		if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+			http.Error(w, "Not permitted", http.StatusForbidden)
+			return
+		}
+		h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
+
 		if writeMethod[r.Method] {
 			// Save the collection only if/when all
 			// webdav->filesystem operations succeed --
@@ -548,6 +549,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	} else if stat.IsDir() {
 		h.serveDirectory(w, r, collection.Name, fs, openPath, true)
 	} else {
+		if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+			http.Error(w, "Not permitted", http.StatusForbidden)
+			return
+		}
+		h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
+
 		http.ServeContent(w, r, basename, stat.ModTime(), f)
 		if wrote := int64(w.WroteBodyBytes()); wrote != stat.Size() && w.WroteStatus() == http.StatusOK {
 			// If we wrote fewer bytes than expected, it's

-----------------------------------------------------------------------


hooks/post-receive
-- 


