Easy way (callback, f.e.) to check wether filetype are allowed or not.

[evert]

Original author: kay.stro...@gmail.com (April 08, 2010 20:03:51)

Hello Devs,

as i told, I'm working on a plugin for TYPO3 to get a powerfull webdav interface.

I'm currently working on the security layer of upload remove and so on. I wanted to deny certain filetypes, which will be checked with TYPO3's internal functions. Based on the Wiki i started to write a plugin (see code at the end of this post). The Problem is, that i found no way to tell the user that this special filetype is not allowed during creation, move, etc.

So my question is - do i go the wrong way? - Please have a look on the code. Thanks

PS: I validated that the plugin gets loaded with Charles

---

<?php

class ks_sabredav_permission_plugin extends Sabre_DAVServerPlugin { public $server; //-------------------------------------------------------------------------- /* \ get Features function /
function getFeatures() { return array(); } //-------------------------------------------------------------------------- / \ get Features function / function initialize(Sabre_DAVServer $server) { $this->server = $server; $this->server->subscribeEvent('beforeBind',array($this,'beforeBind')); } //-------------------------------------------------------------------------- / * decide wether the creation of a node is allowed
/ function beforeBind($path) { global $BE_USER; global $fileMounts; global $TYPO3_CONF_VARS;

    // allow admins to create all filetypes ...
    //if ($BE_USER->isAdmin()) {
    //  return true;
    //}

    // allow only some filetypes for normal users.
    $t3File = new t3lib_basicFileFunctions();
    $t3File->init($fileMounts,$TYPO3_CONF_VARS['BE']['fileExtensions']);

    //check path in mount rules

    // explode by dot and get last chars after dot as extension
    $ext = array_pop(explode('.',$path));
    // check if it is allowed to change a specific file
    if(!$t3File->checkIfAllowed($ext,dirname($path),basename($path))) {
        throw new Sabre_DAV_Exception_PermissionDenied('File extension

"'.$ext.'" not allowed'); // stop when filetype is false return false; } //return false to allow operation return true; } }

Original issue: http://code.google.com/p/sabredav/issues/detail?id=43

[evert]

From evert...@gmail.com on April 09, 2010 03:44:28: Hi Kay,

The return true and false are a little confusing (I should update the wiki); but it works as follows:

Just like javascript events, if you return false the operation will simply cease. If you return anything else the operation will continue.

However, just stopping the operation is probably not what you want, because in most cases it will just result in an empty response.

Instead, throw an exception. Sabre_DAV_Exception_Forbidden is probably the best choice.

Do note though, that clients don't 'like' error conditions. Also, if you're doing any sort of restrictions like this; you probably want to look into the TemporaryFileFilter plugin as well; as operating systems send along crap files anyway.

I don't see a callback specific for validation filetypes happening if the beforeBind method works. So let me know if this will work for you.

[evert]

From kay.stro...@gmail.com on April 09, 2010 07:18:39: thanks it works, but the behaviour of netdrive and other clients is very scary.

netvibes: having a test.txt renamed it to test.php with netdrive in windows explorer sometimes the filelist is reloaded, and sometimes there is an error "File not found". But renaming is prohibited via DAV response, what is clearly visible in Charles.

datafreeway: rename as described above, no negative feedback, (display new name in filelist) hit refresh, old name is displayed

Totalcommander Webdav plugin:behaviour as expected Error Can't write file Please remove the writeprotection.

windows explorer: currently i do have a windows 7 only for testing, when using net use * it asks for username and passwort and then systemerror 67 networkname not found

          what is needed to get windows internal webdav client working?
          I alread set up
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient
          \Parameters\BasicAuthLevel = 2

[evert]

From kay.stro...@gmail.com on April 09, 2010 07:49:34: i tried to add http://wiki.davical.org/w/Permissions_Redesign#privilege but that had no influence

[evert]

From kay.stro...@gmail.com on April 09, 2010 08:23:32: the files are protected for now using the following 3 events:

beforeBind beforeUnbind beforeWriteContent

The user client feedback is still scary, it seems, that a readonly webdav file is not normal for the clients :( or not implemented

[evert]

From evert...@gmail.com on April 09, 2010 08:45:36: Hi Kay,

Few notes:

1. Netdrive indeed sucks. It makes 'best possible case' assumptions, and has other bugs that could be dangerous for usage between multiple people and consistency.
2. Windows explorer: if you use the net use command, you must always specify the /user option. This is a windows bug. The user interface (instead of the console) should work better.
3. Not sure how the davical page is related. SabreDAV currently doesn't have ACL support, but none of these clients support ACL so it will unfortunately do you little good.

It sounds like support for something as simple as a 403 is pretty shitty =( I wonder if you can solve it in a different way creatively with typo3. Perhaps accepting the file and deleting it shortly after or a hack like that..

Can I ask you to post future messages to the mailing list: http://groups.google.com/group/sabredav-discuss

Hope you figure it out, Evert