Merge pull request #4 from ravin-d-27/ravin

ravin-d-27 · web-flow · commit 512d011ea111 · 2024-01-25T12:47:58.000+05:30
Modified Views.py for security
diff --git a/File_Server/files/migrations/0003_uploadedfile_hashed_file_id.py b/File_Server/files/migrations/0003_uploadedfile_hashed_file_id.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.0 on 2024-01-25 04:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('files', '0002_uploadedfile_notes'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='uploadedfile',
+            name='hashed_file_id',
+            field=models.CharField(blank=True, max_length=128, null=True),
+        ),
+    ]
diff --git a/File_Server/files/migrations/0004_remove_uploadedfile_hashed_file_id_and_more.py b/File_Server/files/migrations/0004_remove_uploadedfile_hashed_file_id_and_more.py
@@ -0,0 +1,22 @@
+# Generated by Django 5.0 on 2024-01-25 04:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('files', '0003_uploadedfile_hashed_file_id'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='uploadedfile',
+            name='hashed_file_id',
+        ),
+        migrations.AddField(
+            model_name='uploadedfile',
+            name='unique_token',
+            field=models.CharField(blank=True, max_length=32, unique=True),
+        ),
+    ]
diff --git a/File_Server/files/models.py b/File_Server/files/models.py
@@ -1,13 +1,23 @@
 # files/models.py
-
 from django.db import models
 from django.contrib.auth.models import User
+from django.contrib.auth.hashers import make_password
+import secrets
 
 class UploadedFile(models.Model):
     user = models.ForeignKey(User, on_delete=models.CASCADE)
     file = models.FileField(upload_to='uploads/')
     uploaded_at = models.DateTimeField(auto_now_add=True)
     notes = models.TextField(blank=True)
+    
+    # Add a new field to store the unique token
+    unique_token = models.CharField(max_length=32, unique=True, blank=True)
+
+    def save(self, *args, **kwargs):
+        # Generate a unique token for the file
+        if not self.unique_token:
+            self.unique_token = secrets.token_urlsafe(16)
+        super().save(*args, **kwargs)
 
     def __str__(self):
-        return f"{self.user.username} - {self.file.name}"
+        return f"{self.user.username} - {self.file.name}"
diff --git a/File_Server/files/templates/files/file_list.html b/File_Server/files/templates/files/file_list.html
@@ -67,29 +67,28 @@ <h4 class="my-0 fw-normal"><b>{{ file.file.name|slice:"8:" }}</b></h4>
               <li><b>Note: </b>{{ file.notes }}</li>
             </ul>
 
-            <a href="{% url 'files:share_file' file_id=file.id %}" class="btn btn-primary" id='view' target="_blank">Share File Link</a>
-            <a href="{% url 'files:download_file' file_id=file.id %}" class="btn btn-success" id='download'>Download File</a>
-            <a href="{% url 'files:view_file' file_id=file.id %}" class="btn btn-warning" id='view' target="_blank">View File</a>
-            <a class="btn btn-danger" id='delete' onclick="raise_alerts({{file.id}})">Delete File</a>
+            <a href="{% url 'files:share_file' unique_token=file.unique_token %}" class="btn btn-primary" id='view' target="_blank">Share File Link</a>
+            <a href="{% url 'files:download_file' unique_token=file.unique_token %}" class="btn btn-success" id='download'>Download File</a>
+            <a href="{% url 'files:view_file' unique_token=file.unique_token %}" class="btn btn-warning" id='view' target="_blank">View File</a>
+            <a class="btn btn-danger" id='delete' href="{% url 'files:delete_file' unique_token=file.unique_token %}">Delete File</a>
+            
           </div>
         </div>
       </div>
 
       <script>
-        function raise_alerts(file_id)
-        {
-            yes = confirm("Are you sure you want to delete this file?");
-
-            if (yes == true)
-            {
-                window.location.replace("{% url 'files:delete_file' file_id=file.id %}".replace('file.id', 'file_id)'));
-                alert("File deleted successfully");
-            }
-            else
-            {
-                alert("File not deleted");
-            }
-        }
+        function raise_alerts(file_id) {
+          yes = confirm("Are you sure you want to delete this file?");
+  
+          if (yes == true) {
+              // Replace 'file.id' with the actual value of the file_id variable
+              window.location.replace("{% url 'files:delete_file' unique_token='" + file_id + "' %}");
+
+              alert("File deleted successfully");
+          } else {
+              alert("File not deleted");
+          }
+      }
       </script>
       {% endfor %}
     </div>
diff --git a/File_Server/files/urls.py b/File_Server/files/urls.py
@@ -1,14 +1,13 @@
 # files/urls.py
-
 from django.urls import path
 from .views import file_list, upload_file, download_file, delete_file, view_file, share_file
 
 app_name= 'files'
 urlpatterns = [
     path('', file_list, name='file_list'),
     path('upload/', upload_file, name='upload_file'),
-    path('download/<int:file_id>/', download_file, name='download_file'),
-    path('delete/<int:file_id>/', delete_file, name='delete_file'),
-    path('view_file/<int:file_id>/', view_file, name='view_file'),
-    path('share_file/<int:file_id>/', share_file, name='share_file'),
+    path('download/<str:unique_token>/', download_file, name='download_file'),
+    path('delete/<str:unique_token>/', delete_file, name='delete_file'),
+    path('view_file/<str:unique_token>/', view_file, name='view_file'),
+    path('share_file/<str:unique_token>/', share_file, name='share_file'),
 ]
diff --git a/File_Server/files/views.py b/File_Server/files/views.py
@@ -1,8 +1,7 @@
-# files/views.py
-
-from django.shortcuts import render, redirect, get_object_or_404
-from django.http import HttpResponse
 from django.contrib.auth.decorators import login_required
+from django.http import HttpResponse, FileResponse
+from django.shortcuts import render, redirect, get_object_or_404
+from django.contrib.auth.hashers import make_password
 from .models import UploadedFile
 from .forms import FileUploadForm
 from storages.backends.s3boto3 import S3Boto3Storage
@@ -27,46 +26,57 @@ def upload_file(request):
     return render(request, 'files/upload_file.html', {'form': form})
 
 @login_required
-def download_file(request, file_id):
-    file = get_object_or_404(UploadedFile, id=file_id)
-    response = HttpResponse(file.file, content_type='application/force-download')
-    response['Content-Disposition'] = f'attachment; filename={file.file.name}'
+def download_file(request, unique_token):
+    file_instance = get_object_or_404(UploadedFile, unique_token=unique_token)
+    response = HttpResponse(file_instance.file, content_type='application/force-download')
+    response['Content-Disposition'] = f'attachment; filename={file_instance.file.name}'
     return response
 
+# views.py
 
 @login_required
-def delete_file(request, file_id):
-    file_instance = get_object_or_404(UploadedFile, id=file_id)
+def delete_file(request, unique_token):
+    # Try to find the file by unique_token
+    file_instance = get_object_or_404(UploadedFile, unique_token=unique_token)
+
+    # If file_instance is not found, try to find by hashed_file_id
+    if not file_instance:
+        hashed_file_id = unique_token
+        try:
+            file_instance = UploadedFile.objects.get(hashed_file_id=hashed_file_id)
+        except UploadedFile.DoesNotExist:
+            return HttpResponse("File not found.", status=404)
+
     storage = S3Boto3Storage()
     file_path = file_instance.file.name
 
     if storage.exists(file_path):
         storage.delete(file_path)
+
     file_instance.delete()
-    
-    
+
     files = UploadedFile.objects.filter(user=request.user)
     return redirect('files:file_list')
 
-from django.http import FileResponse
+
 
 @login_required
-def view_file(request, file_id):
-    file_instance = get_object_or_404(UploadedFile, id=file_id)
+def view_file(request, unique_token):
+    file_instance = get_object_or_404(UploadedFile, unique_token=unique_token)
     file_path = file_instance.file.name
     file_extension = file_path.split('.')[-1].lower()
+    
     if file_extension in ['jpg', 'jpeg', 'png', 'gif']:
         return FileResponse(file_instance.file, content_type='image/'+file_extension)
     elif file_extension == 'pdf':
         response = FileResponse(file_instance.file, content_type='application/pdf')
         response['Content-Disposition'] = f'inline; filename={file_instance.file.name}'
         return response
     else:
-        return redirect('files:download_file', file_id=file_id)
-    
+        return redirect('files:download_file', file_id=file_instance.id)
     
-def share_file(request, file_id):
-    file_instance = get_object_or_404(UploadedFile, id=file_id)
+def share_file(request, unique_token):
+    file_instance = get_object_or_404(UploadedFile, unique_token=unique_token)
     file_path = file_instance.file.name
     file_extension = file_path.split('.')[-1].lower()
     if file_extension in ['jpg', 'jpeg', 'png', 'gif']:
@@ -76,4 +86,4 @@ def share_file(request, file_id):
         response['Content-Disposition'] = f'inline; filename={file_instance.file.name}'
         return response
     else:
-        return redirect('files:download_file', file_id=file_id)
+        return redirect('files:download_file', unique_token=unique_token)
