From da909ff084ae67e655002d716a4fff7f402cfb59 Mon Sep 17 00:00:00 2001
From: Ozzieisaacs <ozzie.fernandez.isaacs@googlemail.com>
Date: Wed, 23 Sep 2020 20:50:34 +0200
Subject: [PATCH] Fixes from test of upload restrictions

---
 cps/editbooks.py             | 100 +++++++++++++++++++----------------
 cps/templates/book_edit.html |   8 ++-
 2 files changed, 59 insertions(+), 49 deletions(-)

diff --git a/cps/editbooks.py b/cps/editbooks.py
index 4b43794a..cf2c69f6 100644
--- a/cps/editbooks.py
+++ b/cps/editbooks.py
@@ -466,62 +466,64 @@ def edit_cc_data(book_id, book, to_save):
 def upload_single_file(request, book, book_id):
     # Check and handle Uploaded file
     if 'btn-upload-format' in request.files:
-        requested_file = request.files['btn-upload-format']
-        # check for empty request
-        if requested_file.filename != '':
-            if '.' in requested_file.filename:
-                file_ext = requested_file.filename.rsplit('.', 1)[-1].lower()
-                if file_ext not in constants.EXTENSIONS_UPLOAD and '' not in constants.EXTENSIONS_UPLOAD:
-                    flash(_("File extension '%(ext)s' is not allowed to be uploaded to this server", ext=file_ext),
-                          category="error")
+            requested_file = request.files['btn-upload-format']
+            # check for empty request
+            if requested_file.filename != '':
+                if not current_user.role_upload():
+                    abort(403)
+                if '.' in requested_file.filename:
+                    file_ext = requested_file.filename.rsplit('.', 1)[-1].lower()
+                    if file_ext not in constants.EXTENSIONS_UPLOAD and '' not in constants.EXTENSIONS_UPLOAD:
+                        flash(_("File extension '%(ext)s' is not allowed to be uploaded to this server", ext=file_ext),
+                              category="error")
+                        return redirect(url_for('web.show_book', book_id=book.id))
+                else:
+                    flash(_('File to be uploaded must have an extension'), category="error")
                     return redirect(url_for('web.show_book', book_id=book.id))
-            else:
-                flash(_('File to be uploaded must have an extension'), category="error")
-                return redirect(url_for('web.show_book', book_id=book.id))
 
-            file_name = book.path.rsplit('/', 1)[-1]
-            filepath = os.path.normpath(os.path.join(config.config_calibre_dir, book.path))
-            saved_filename = os.path.join(filepath, file_name + '.' + file_ext)
+                file_name = book.path.rsplit('/', 1)[-1]
+                filepath = os.path.normpath(os.path.join(config.config_calibre_dir, book.path))
+                saved_filename = os.path.join(filepath, file_name + '.' + file_ext)
 
-            # check if file path exists, otherwise create it, copy file to calibre path and delete temp file
-            if not os.path.exists(filepath):
+                # check if file path exists, otherwise create it, copy file to calibre path and delete temp file
+                if not os.path.exists(filepath):
+                    try:
+                        os.makedirs(filepath)
+                    except OSError:
+                        flash(_(u"Failed to create path %(path)s (Permission denied).", path=filepath), category="error")
+                        return redirect(url_for('web.show_book', book_id=book.id))
                 try:
-                    os.makedirs(filepath)
+                    requested_file.save(saved_filename)
                 except OSError:
-                    flash(_(u"Failed to create path %(path)s (Permission denied).", path=filepath), category="error")
+                    flash(_(u"Failed to store file %(file)s.", file=saved_filename), category="error")
                     return redirect(url_for('web.show_book', book_id=book.id))
-            try:
-                requested_file.save(saved_filename)
-            except OSError:
-                flash(_(u"Failed to store file %(file)s.", file=saved_filename), category="error")
-                return redirect(url_for('web.show_book', book_id=book.id))
-
-            file_size = os.path.getsize(saved_filename)
-            is_format = calibre_db.get_book_format(book_id, file_ext.upper())
 
-            # Format entry already exists, no need to update the database
-            if is_format:
-                log.warning('Book format %s already existing', file_ext.upper())
-            else:
-                try:
-                    db_format = db.Data(book_id, file_ext.upper(), file_size, file_name)
-                    calibre_db.session.add(db_format)
-                    calibre_db.session.commit()
-                    calibre_db.update_title_sort(config)
-                except OperationalError as e:
-                    calibre_db.session.rollback()
-                    log.error('Database error: %s', e)
-                    flash(_(u"Database error: %(error)s.", error=e), category="error")
-                    return redirect(url_for('web.show_book', book_id=book.id))
+                file_size = os.path.getsize(saved_filename)
+                is_format = calibre_db.get_book_format(book_id, file_ext.upper())
 
-            # Queue uploader info
-            uploadText=_(u"File format %(ext)s added to %(book)s", ext=file_ext.upper(), book=book.title)
-            worker.add_upload(current_user.nickname,
-                "<a href=\"" + url_for('web.show_book', book_id=book.id) + "\">" + uploadText + "</a>")
+                # Format entry already exists, no need to update the database
+                if is_format:
+                    log.warning('Book format %s already existing', file_ext.upper())
+                else:
+                    try:
+                        db_format = db.Data(book_id, file_ext.upper(), file_size, file_name)
+                        calibre_db.session.add(db_format)
+                        calibre_db.session.commit()
+                        calibre_db.update_title_sort(config)
+                    except OperationalError as e:
+                        calibre_db.session.rollback()
+                        log.error('Database error: %s', e)
+                        flash(_(u"Database error: %(error)s.", error=e), category="error")
+                        return redirect(url_for('web.show_book', book_id=book.id))
+
+                # Queue uploader info
+                uploadText=_(u"File format %(ext)s added to %(book)s", ext=file_ext.upper(), book=book.title)
+                worker.add_upload(current_user.nickname,
+                    "<a href=\"" + url_for('web.show_book', book_id=book.id) + "\">" + uploadText + "</a>")
 
-            return uploader.process(
-                saved_filename, *os.path.splitext(requested_file.filename),
-                rarExecutable=config.config_rarfile_location)
+                return uploader.process(
+                    saved_filename, *os.path.splitext(requested_file.filename),
+                    rarExecutable=config.config_rarfile_location)
 
 
 def upload_cover(request, book):
@@ -529,6 +531,8 @@ def upload_cover(request, book):
         requested_file = request.files['btn-upload-cover']
         # check for empty request
         if requested_file.filename != '':
+            if not current_user.role_upload():
+                abort(403)
             ret, message = helper.save_cover(requested_file, book.path)
             if ret is True:
                 return True
@@ -609,6 +613,8 @@ def edit_book(book_id):
 
         if not error:
             if to_save["cover_url"]:
+                if not current_user.role_upload() and to_save["cover_url"] != "":
+                    return "", (403)
                 result, error = helper.save_cover_from_url(to_save["cover_url"], book.path)
                 if result is True:
                     book.has_cover = 1
diff --git a/cps/templates/book_edit.html b/cps/templates/book_edit.html
index 5c081101..ef483c5c 100644
--- a/cps/templates/book_edit.html
+++ b/cps/templates/book_edit.html
@@ -92,15 +92,19 @@
       <label for="rating">{{_('Rating')}}</label>
       <input type="number"  name="rating" id="rating" class="rating input-lg" data-clearable="" value="{% if book.ratings %}{{(book.ratings[0].rating / 2)|int}}{% endif %}">
     </div>
+    {% if g.user.role_upload() or g.user.role_admin()%}
+      {% if g.allow_upload %}
     <div class="form-group">
       <label for="cover_url">{{_('Fetch Cover from URL (JPEG - Image will be downloaded and stored in database)')}}</label>
       <input type="text" class="form-control" name="cover_url" id="cover_url" value="">
     </div>
-    <div class="form-group" aria-label="Upload cover from local drive">
+      <div class="form-group" aria-label="Upload cover from local drive">
         <label class="btn btn-primary btn-file" for="btn-upload-cover">{{ _('Upload Cover from Local Disk') }}</label>
         <div class="upload-cover-input-text" id="upload-cover"></div>
         <input id="btn-upload-cover" name="btn-upload-cover" type="file" accept=".jpg, .jpeg, .png, .webp">
-    </div>
+      </div>
+      {% endif %}
+    {% endif %}
     <div class="form-group">
       <label for="pubdate">{{_('Published Date')}}</label>
       <div style="position: relative">