Hacker-Software
/
minmal-file-cloud-email-pim-passmanager
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Share-Links mit Berechtigungen (Lesen / Lesen+Schreiben) 

Share-Links haben jetzt ein permission-Feld (read/write):

- read (Standard): Nur Download erlaubt, kein Upload, kein Aendern
- write: Download + Upload in Ordner erlaubt

Backend-Absicherung:
- POST /share/<token>/upload prueft permission == 'write', gibt 403
  bei read-only Links zurueck
- GET /share/<token>/info gibt permission + upload_allowed zurueck
- ShareLink-Model hat neues permission-Feld (default: 'read')

Frontend Share-Dialog:
- Dropdown "Berechtigung" beim Erstellen von Links
  (Nur Lesen / Lesen+Hochladen)
- Bestehende Links zeigen Berechtigungslevel an

Frontend ShareView:
- Upload-Zone nur sichtbar wenn upload_allowed == true
- Bei read-only Links: kein Drag & Drop, kein Upload-Button

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker 2026-04-11 18:39:38 +02:00
parent 6a17748552
commit 116c33a7dc
3 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
backend/app/api/files.py
View File

@ -419,6 +419,10 @@ def create_share_link(file_id):
password = data.get('password')
expires_at = data.get('expires_at')
max_downloads = data.get('max_downloads')
permission = data.get('permission', 'read')
if permission not in ('read', 'write'):
return jsonify({'error': 'Berechtigung muss "read" oder "write" sein'}), 400
token = secrets.token_urlsafe(32)
password_hash = None
@ -435,6 +439,7 @@ def create_share_link(file_id):
link = ShareLink(
file_id=file_id,
token=token,
permission=permission,
password_hash=password_hash,
expires_at=exp_dt,
created_by=user.id,
@ -446,6 +451,7 @@ def create_share_link(file_id):
return jsonify({
'token': token,
'url': f'/share/{token}',
'permission': permission,
'expires_at': exp_dt.isoformat() if exp_dt else None,
'has_password': bool(password),
}), 201
@ -463,6 +469,7 @@ def list_share_links(file_id):
return jsonify([{
'id': l.id,
'token': l.token,
'permission': l.permission,
'has_password': bool(l.password_hash),
'expires_at': l.expires_at.isoformat() if l.expires_at else None,
'download_count': l.download_count,
@ -490,7 +497,8 @@ def share_info(token):
'size': f.size,
'mime_type': f.mime_type,
'has_password': bool(link.password_hash),
'upload_allowed': f.is_folder,
'permission': link.permission,
'upload_allowed': f.is_folder and link.permission == 'write',
}), 200
@ -560,7 +568,7 @@ def share_download(token):
@api_bp.route('/share/<token>/upload', methods=['POST'])
def share_upload(token):
"""Upload a file via a share link (only if the shared item is a folder)."""
"""Upload a file via a share link (only if the shared item is a folder with write permission)."""
link = ShareLink.query.filter_by(token=token).first()
if not link:
return jsonify({'error': 'Link nicht gefunden'}), 404
@ -568,6 +576,10 @@ def share_upload(token):
if link.is_expired():
return jsonify({'error': 'Link abgelaufen'}), 410
# Check write permission
if link.permission != 'write':
return jsonify({'error': 'Dieser Link erlaubt nur Lesen'}), 403
# Check password if set
if link.password_hash:
password = request.form.get('password', '') or request.headers.get('X-Share-Password', '')

1
backend/app/models/file.py
View File

@ -62,6 +62,7 @@ class ShareLink(db.Model):
id = db.Column(db.Integer, primary_key=True)
file_id = db.Column(db.Integer, db.ForeignKey('files.id'), nullable=False, index=True)
token = db.Column(db.String(64), unique=True, nullable=False, index=True)
permission = db.Column(db.String(20), default='read', nullable=False) # 'read' or 'write'
password_hash = db.Column(db.String(255), nullable=True)
expires_at = db.Column(db.DateTime, nullable=True)
created_by = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)

12
frontend/src/views/FilesView.vue
View File

@ -162,6 +162,10 @@
<div class="share-section">
<h5>Freigabe-Link erstellen</h5>
<div class="share-form">
<div class="field">
<label>Berechtigung</label>
<Select v-model="shareLinkPermission" :options="linkPermOptions" optionLabel="label" optionValue="value" fluid />
</div>
<div class="field">
<label>Passwort (optional)</label>
<Password v-model="sharePassword" :feedback="false" toggle-mask fluid />
@ -180,7 +184,8 @@
<div class="link-info">
<code>{{ currentOrigin }}/share/{{ link.token }}</code>
<small>
{{ link.download_count }} Downloads
{{ link.permission === 'write' ? 'Lesen+Schreiben' : 'Nur Lesen' }}
| {{ link.download_count }} Downloads
<template v-if="link.expires_at"> | Bis {{ formatDate(link.expires_at) }}</template>
<template v-if="link.has_password"> | Passwortgeschuetzt</template>
</small>
@ -250,6 +255,8 @@ const selectedShareUser = ref(null)
const shareUserPermission = ref('read')
const userSearchResults = ref([])
const userPermOptions = [{ label: 'Lesen', value: 'read' }, { label: 'Schreiben', value: 'write' }, { label: 'Admin', value: 'admin' }]
const linkPermOptions = [{ label: 'Nur Lesen (Download)', value: 'read' }, { label: 'Lesen + Hochladen (nur Ordner)', value: 'write' }]
const shareLinkPermission = ref('read')
const currentOrigin = window.location.origin
const shareLoading = ref(false)
const showDeleteConfirm = ref(false)
@ -580,13 +587,14 @@ async function createShare() {
if (!shareFile.value) return
shareLoading.value = true
try {
const opts = {}
const opts = { permission: shareLinkPermission.value }
if (sharePassword.value) opts.password = sharePassword.value
if (shareExpiry.value) opts.expires_at = shareExpiry.value
await filesStore.createShareLink(shareFile.value.id, opts)
shareLinks.value = await filesStore.getShareLinks(shareFile.value.id)
sharePassword.value = ''
shareExpiry.value = ''
shareLinkPermission.value = 'read'
toast.add({ severity: 'success', summary: 'Link erstellt', life: 3000 })
} catch (err) {
toast.add({ severity: 'error', summary: 'Fehler', detail: err.response?.data?.error, life: 5000 })