rename benutzer to users

add role management to media page
2025-10-16 17:57:06 +00:00
parent a7df3c2708
commit 7b38b49598
10 changed files with 116 additions and 5 deletions
--- a/server/routes/eventmedia.py
+++ b/server/routes/eventmedia.py
@@ -38,7 +38,18 @@ def filemanager_operations():

    print(action, path, name, new_name, target_path, full_path)  # Debug-Ausgabe

+    # Superadmin-only protection for the converted folder
+    from flask import session as flask_session
+    user_role = flask_session.get('role')
+    is_superadmin = user_role == 'superadmin'
+    # Normalize path for checks
+    norm_path = os.path.normpath('/' + path.lstrip('/'))
+    under_converted = norm_path == '/converted' or norm_path.startswith('/converted/')
+
    if action == 'read':
+        # Block listing inside converted for non-superadmins
+        if under_converted and not is_superadmin:
+            return jsonify({'files': [], 'cwd': {'name': os.path.basename(full_path), 'path': path}})
        # List files and folders
        items = []
        session = Session()
@@ -61,7 +72,9 @@ def filemanager_operations():
                    item['dateModified'] = entry.stat().st_mtime
            else:
                item['dateModified'] = entry.stat().st_mtime
-            items.append(item)
+            # Hide the converted folder at root for non-superadmins
+            if not (not is_superadmin and not entry.is_file() and entry.name == 'converted' and (norm_path == '/' or norm_path == '')):
+                items.append(item)
        session.close()
        return jsonify({'files': items, 'cwd': {'name': os.path.basename(full_path), 'path': path}})

@@ -90,6 +103,8 @@ def filemanager_operations():
        session.close()
        return jsonify({'details': details})
    elif action == 'delete':
+        if under_converted and not is_superadmin:
+            return jsonify({'error': 'Insufficient permissions'}), 403
        for item in request.form.getlist('names[]'):
            item_path = os.path.join(full_path, item)
            if os.path.isdir(item_path):
@@ -98,16 +113,23 @@ def filemanager_operations():
                os.remove(item_path)
        return jsonify({'success': True})
    elif action == 'rename':
+        if under_converted and not is_superadmin:
+            return jsonify({'error': 'Insufficient permissions'}), 403
        src = os.path.join(full_path, name)
        dst = os.path.join(full_path, new_name)
        os.rename(src, dst)
        return jsonify({'success': True})
    elif action == 'move':
+        # Prevent moving into converted if not superadmin
+        if (target_path and target_path.strip('/').split('/')[0] == 'converted') and not is_superadmin:
+            return jsonify({'error': 'Insufficient permissions'}), 403
        src = os.path.join(full_path, name)
        dst = os.path.join(MEDIA_ROOT, target_path.lstrip('/'), name)
        os.rename(src, dst)
        return jsonify({'success': True})
    elif action == 'create':
+        if under_converted and not is_superadmin:
+            return jsonify({'error': 'Insufficient permissions'}), 403
        os.makedirs(os.path.join(full_path, name), exist_ok=True)
        return jsonify({'success': True})
    else:
@@ -122,6 +144,12 @@ def filemanager_upload():
    session = Session()
    # Korrigiert: Erst aus request.form, dann aus request.args lesen
    path = request.form.get('path') or request.args.get('path', '/')
+    from flask import session as flask_session
+    user_role = flask_session.get('role')
+    is_superadmin = user_role == 'superadmin'
+    norm_path = os.path.normpath('/' + path.lstrip('/'))
+    if (norm_path == '/converted' or norm_path.startswith('/converted/')) and not is_superadmin:
+        return jsonify({'error': 'Insufficient permissions'}), 403
    upload_path = os.path.join(MEDIA_ROOT, path.lstrip('/'))
    os.makedirs(upload_path, exist_ok=True)
    for file in request.files.getlist('uploadFiles'):
@@ -184,9 +212,16 @@ def filemanager_upload():
@eventmedia_bp.route('/filemanager/download', methods=['GET'])
 def filemanager_download():
    path = request.args.get('path', '/')
+    from flask import session as flask_session
+    user_role = flask_session.get('role')
+    is_superadmin = user_role == 'superadmin'
+    norm_path = os.path.normpath('/' + path.lstrip('/'))
    names = request.args.getlist('names[]')
    # Nur Einzel-Download für Beispiel
    if names:
+        # Block access to converted for non-superadmins
+        if (norm_path == '/converted' or norm_path.startswith('/converted/')) and not is_superadmin:
+            return jsonify({'error': 'Insufficient permissions'}), 403
        file_path = os.path.join(MEDIA_ROOT, path.lstrip('/'), names[0])
        return send_from_directory(os.path.dirname(file_path), os.path.basename(file_path), as_attachment=True)
    return jsonify({'error': 'No file specified'}), 400
@@ -197,6 +232,12 @@ def filemanager_download():
@eventmedia_bp.route('/filemanager/get-image', methods=['GET'])
 def filemanager_get_image():
    path = request.args.get('path', '/')
+    from flask import session as flask_session
+    user_role = flask_session.get('role')
+    is_superadmin = user_role == 'superadmin'
+    norm_path = os.path.normpath('/' + path.lstrip('/'))
+    if (norm_path == '/converted' or norm_path.startswith('/converted/')) and not is_superadmin:
+        return jsonify({'error': 'Insufficient permissions'}), 403
    file_path = os.path.join(MEDIA_ROOT, path.lstrip('/'))
    return send_from_directory(os.path.dirname(file_path), os.path.basename(file_path))