haiwen · awu0403 · Sep 9, 2024 · Sep 13, 2024 · Sep 13, 2024 · Sep 13, 2024
diff --git a/frontend/src/shared-dir-view.js b/frontend/src/shared-dir-view.js
@@ -327,7 +327,7 @@ class SharedDirView extends React.Component {
       'url': fileURL,
       'thumbnail': `${siteRoot}thumbnail/${repoID}/${thumbnailSizeForOriginal}${item.file_path}`,
       'src': src,
-      'downloadURL': fileURL + '&dl=1',
+      'downloadURL': fileURL + '&dl=1'
     };
   };
 

diff --git a/seahub/api2/endpoints/internal_api.py b/seahub/api2/endpoints/internal_api.py
@@ -1,5 +1,6 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
 import logging
+from django.contrib.sessions.backends.db import SessionStore
 from rest_framework import status
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -13,6 +14,7 @@
 from seahub.share.models import UploadLinkShare, FileShare, check_share_link_access, check_share_link_access_by_scope
 from seaserv import seafile_api
 from seahub.utils.repo import parse_repo_perm
+from seahub.views import check_folder_permission
 
 logger = logging.getLogger(__name__)
 
@@ -186,3 +188,60 @@ def post(self, request, repo_id):
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
         return Response({'user': rat.app_name})
+
+class CheckThumbnailAccess(APIView):
+    authentication_classes = (SessionCRSFCheckFreeAuthentication, )
+
+    def post(self, request, repo_id):
+        auth = request.META.get('HTTP_AUTHORIZATION', '').split()
+        path = request.data.get('path')
+        is_valid = is_valid_internal_jwt(auth)
+        if not is_valid:
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+        if not path:
+            error_msg = 'path invalid'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+        if check_folder_permission(request, repo_id, path) is None:
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+        return Response({'success': True})
+
+class CheckShareLinkThumbnailAccess(APIView):
+    authentication_classes = (SessionCRSFCheckFreeAuthentication,)
+
+    def post(self, request):
+        auth = request.META.get('HTTP_AUTHORIZATION', '').split()
+        link_token = request.data.get('token')
+        is_valid = is_valid_internal_jwt(auth)
+        if not is_valid:
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+
+
+        share_obj = FileShare.objects.filter(token=link_token).first()
+
+        if not share_obj:
+            error_msg = 'Link does not exist.'
+            return api_error(status.HTTP_404_NOT_FOUND, error_msg)
+
+        if share_obj.is_expired():
+            error_msg = 'Link is expired.'
+            return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
+
+        if share_obj.is_encrypted() and not check_share_link_access(request,
+                                                                    link_token):
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+
+        if not check_share_link_access_by_scope(request, share_obj):
+            error_msg = 'Permission denied.'
+            return api_error(status.HTTP_403_FORBIDDEN, error_msg)
+
+        resp_json = {
+            'success': True,
+            'repo_id': share_obj.repo_id,
+            'share_path': share_obj.path,
+            'share_type': share_obj.s_type
+        }
+        return Response(resp_json)
diff --git a/seahub/api2/endpoints/share_links.py b/seahub/api2/endpoints/share_links.py
@@ -40,7 +40,7 @@
     check_filename_with_rename, gen_file_upload_url, \
     get_password_strength_level, is_valid_password, is_valid_email, string2list
 from seahub.utils.file_op import if_locked_by_online_office
-from seahub.utils.file_types import IMAGE, VIDEO, XMIND
+from seahub.utils.file_types import IMAGE, VIDEO, XMIND, PDF
 from seahub.utils.file_tags import get_tagged_files, get_files_tags_in_dir
 from seahub.utils.timeutils import datetime_to_isoformat_timestr, \
         timestamp_to_isoformat_timestr
@@ -49,7 +49,7 @@
 from seahub.settings import SHARE_LINK_EXPIRE_DAYS_MAX, \
         SHARE_LINK_EXPIRE_DAYS_MIN, SHARE_LINK_LOGIN_REQUIRED, \
         SHARE_LINK_EXPIRE_DAYS_DEFAULT, THUMBNAIL_DEFAULT_SIZE, \
-        ENABLE_VIDEO_THUMBNAIL, \
+        ENABLE_VIDEO_THUMBNAIL, ENABLE_PDF_THUMBNAIL,\
         THUMBNAIL_ROOT, ENABLE_UPLOAD_LINK_VIRUS_CHECK
 from seahub.wiki.models import Wiki
 from seahub.views.file import can_edit_file
@@ -986,7 +986,8 @@ def get(self, request, token):
 
                 file_type, file_ext = get_file_type_and_ext(dirent.obj_name)
                 if file_type in (IMAGE, XMIND) or \
-                        (file_type == VIDEO and ENABLE_VIDEO_THUMBNAIL):
+                        (file_type == VIDEO and ENABLE_VIDEO_THUMBNAIL) or \
+                        (file_type == PDF and ENABLE_PDF_THUMBNAIL):
 
                     if os.path.exists(os.path.join(THUMBNAIL_ROOT, str(thumbnail_size), dirent.obj_id)):
                         req_image_path = posixpath.join(request_path, dirent.obj_name)

diff --git a/seahub/urls.py b/seahub/urls.py
@@ -5,7 +5,7 @@
 from seahub.ai.apis import ImageCaption, GenerateSummary
 from seahub.api2.endpoints.share_link_auth import ShareLinkUserAuthView, ShareLinkEmailAuthView
 from seahub.api2.endpoints.internal_api import InternalUserListView, InternalCheckShareLinkAccess, \
-    InternalCheckFileOperationAccess
+    InternalCheckFileOperationAccess, CheckThumbnailAccess, CheckShareLinkThumbnailAccess
 from seahub.auth.views import multi_adfs_sso
 from seahub.views import *
 from seahub.views.mobile import mobile_login
@@ -795,6 +795,8 @@
     re_path(r'^api/v2.1/internal/user-list/$', InternalUserListView.as_view(), name="api-v2.1-internal-user-list"),
     re_path(r'^api/v2.1/internal/check-share-link-access/$', InternalCheckShareLinkAccess.as_view(), name="api-v2.1-internal-share-link-info"),
     re_path(r'^api/v2.1/internal/repos/(?P<repo_id>[-0-9a-f]{36})/check-access/$', InternalCheckFileOperationAccess.as_view(), name="api-v2.1-internal-check-file-op-access"),
+    re_path(r'^api/v2.1/internal/repos/(?P<repo_id>[-0-9a-f]{36})/check-thumbnail/$', CheckThumbnailAccess.as_view(), name='api-v2.1-internal-check-thumbnail-access'),
+    re_path(r'^api/v2.1/internal/check-share-link-thumbnail/$', CheckShareLinkThumbnailAccess.as_view(), name='api-v2.1-internal-check-share-link-thumbnail-access'),
 
     ### system admin ###
     re_path(r'^sys/seafadmin/delete/(?P<repo_id>[-0-9a-f]{36})/$', sys_repo_delete, name='sys_repo_delete'),