Evaluate file access permissions

2026-02-04 18:10:38 +01:00 · 2026-01-04 17:49:33 +01:00
14 changed files with 22 additions and 127 deletions
--- a/docs/nginx/nginx.conf
+++ b/docs/nginx/nginx.conf
@@ -1,43 +0,0 @@
 server {
    listen       [::]:443 ssl;
    listen       443 ssl;
    server_name  myhost;
    # ssl_certificate ...;
    add_header X-Xss-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=15768000";
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Content-Security-Policy "child-src 'none'; object-src 'none'";
    client_max_body_size 250M;
    error_page  403 404 https://$server_name/404;
    location / {
        proxy_pass               http://127.0.0.1:8000;
        proxy_set_header         Host              $host;
        proxy_set_header         X-Real-IP         $remote_addr;
        proxy_set_header         X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header         X-Forwarded-Proto $scheme;
        proxy_redirect           http:// https://;
        proxy_connect_timeout    1800;
        proxy_read_timeout       1800;
        proxy_max_temp_file_size 8192m;
    }
    # static files
    location /static {
        root /myroot/ram/storage;
    }
    # media files
    location ~ ^/media/(images|uploads) {
        root /myroot/ram/storage;
    }
    # protected filed to be served via X-Accel-Redirect
    location /private {
    	internal;
        alias /myroot/ram/storage/media;
    }
 }
--- a/ram/bookshelf/admin.py
+++ b/ram/bookshelf/admin.py
@@ -29,7 +29,7 @@ from bookshelf.models import (
 class BookImageInline(SortableInlineAdminMixin, admin.TabularInline):
    model = BaseBookImage
    min_num = 0
-    extra = 1
+    extra = 0
    readonly_fields = ("image_thumbnail",)
    classes = ["collapse"]
    verbose_name = "Image"
@@ -47,7 +47,7 @@ class BookPropertyInline(admin.TabularInline):
 class BookDocInline(admin.TabularInline):
    model = BookDocument
    min_num = 0
-    extra = 1
+    extra = 0
    classes = ["collapse"]
--- a/ram/consist/admin.py
+++ b/ram/consist/admin.py
@@ -47,7 +47,7 @@ class ConsistAdmin(SortableAdminBase, admin.ModelAdmin):
        "creation_time",
        "updated_time",
    )
-    list_filter = ("published", "company__name", "era", "scale__scale")
+    list_filter = ("published", "company__name", "era", "scale")
    list_display = (
        "__str__",
        "company__name",
--- a/ram/consist/models.py
+++ b/ram/consist/models.py
@@ -56,15 +56,6 @@ class Consist(BaseModel):
            order=models.Max("order"),
        ).order_by("order")
    def get_cover(self):
        if self.image:
            return self.image
        else:
            consist_item = self.consist_item.first()
            if consist_item and consist_item.rolling_stock.image.exists():
                return consist_item.rolling_stock.image.first().image
        return None
    @property
    def country(self):
        return self.company.country
--- a/ram/metadata/admin.py
+++ b/ram/metadata/admin.py
@@ -24,7 +24,7 @@ class PropertyAdmin(admin.ModelAdmin):
 class DecoderDocInline(admin.TabularInline):
    model = DecoderDocument
    min_num = 0
-    extra = 1
+    extra = 0
    classes = ["collapse"]
--- a/ram/portal/templates/cards/consist.html
+++ b/ram/portal/templates/cards/consist.html
@@ -1,13 +1,12 @@
 {% load static %}
      <div class="col">
        <div class="card shadow-sm">
          <a href="{{ d.get_absolute_url }}">
-          {% if d.get_cover %}
+          {% if d.image %}
-            <img class="card-img-top" src="{{ d.get_cover.url }}" alt="{{ d }}">
+            <img class="card-img-top" src="{{ d.image.url }}" alt="{{ d }}">
          {% else %}
-            <!-- Do not show the "Coming soon" image when running in a single card column mode (e.g. on mobile) -->
+            {% with d.consist_item.first.rolling_stock as r %}
-            <a href="{{d.get_absolute_url}}"><img class="card-img-top d-none d-sm-block" src="{% static DEFAULT_CARD_IMAGE %}" alt="{{ d }}"></a>
+            <img class="card-img-top" src="{{ r.image.first.image.url }}" alt="{{ d }}">
            {% endwith %}
          {% endif %}
          </a>
          <div class="card-body">
--- a/ram/portal/templates/consist.html
+++ b/ram/portal/templates/consist.html
@@ -34,7 +34,6 @@
        {% endfor %}
      {% endblock %}
      </div>
      {% if loads %}
      <div class="accordion shadow-sm mt-4" id="accordionLoads">
        <div class="accordion-item">
          <h2 class="accordion-header">
@@ -53,7 +52,6 @@
          </div>
        </div>
      </div>
      {% endif %}
      {% endblock %}
      {% block pagination %}
      {% if data.has_other_pages %}
--- a/ram/portal/views.py
+++ b/ram/portal/views.py
@@ -6,7 +6,6 @@ from urllib.parse import unquote
 from django.conf import settings
 from django.views import View
 from django.urls import Resolver404
 from django.http import Http404, HttpResponseBadRequest
 from django.db.utils import OperationalError, ProgrammingError
 from django.db.models import F, Q, Count
@@ -64,18 +63,7 @@ def get_items_ordering(config="items_ordering"):
 class Render404(View):
    def get(self, request, exception):
-        generic_message = "Page not found"
+        return render(request, "base.html", {"title": "404 page not found"})
        if isinstance(exception, Resolver404):
            message = generic_message
        else:
            message = str(exception) if exception else generic_message
        return render(
            request,
            "base.html",
            {"title": message},
            status=404,
        )
 class GetData(View):
--- a/ram/ram/init.py
+++ b/ram/ram/init.py
@@ -1,4 +1,4 @@
 from ram.utils import git_suffix
-__version__ = "0.19.8"
+__version__ = "0.19.6"
 __version__ += git_suffix(__file__)
--- a/ram/ram/local_settings.py.tmpl
+++ b/ram/ram/local_settings.py.tmpl
@@ -34,4 +34,3 @@ ALLOWED_HOSTS = ["127.0.0.1", "myhost"]
 CSRF_TRUSTED_ORIGINS = ["https://myhost"]
 STATIC_URL = "static/"
 MEDIA_URL = "media/"
 USE_X_ACCEL_REDIRECT = True
--- a/ram/ram/settings.py
+++ b/ram/ram/settings.py
@@ -206,19 +206,6 @@ ROLLING_STOCK_TYPES = [
 FEATURED_ITEMS_MAX = 6
 # If True, use X-Accel-Redirect (Nginx)
 # when using X-Accel-Redirect, we don't serve the file
 # directly from Django, but let Nginx handle it
 # in Nginx config, we need to map /private/ to
 # the actual media files location with internal directive
 # eg:
 #   location /private {
 #       internal;
 #       alias /path/to/media;
 #   }
 # make also sure that the entire /media is _not_ mapped directly in Nginx
 USE_X_ACCEL_REDIRECT = False
 try:
    from ram.local_settings import *
 except ImportError:
--- a/ram/ram/urls.py
+++ b/ram/ram/urls.py
@@ -28,15 +28,11 @@ handler404 = Render404.as_view()
 urlpatterns = [
    path("", lambda r: redirect("portal/")),
    path("admin/", admin.site.urls),
    path("tinymce/", include("tinymce.urls")),
    path("tinymce/upload_image", UploadImage.as_view(), name="upload_image"),
    path(
        "media/files/<path:filename>",
        DownloadFile.as_view(),
        name="download_file",
    ),
    path("portal/", include("portal.urls")),
    path("admin/", admin.site.urls),
    path("media/files/<path:filename>", DownloadFile.as_view(), name="download_file"),
 ] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
 # Enable the "/dcc" routing only if the "driver" app is active
@@ -60,7 +56,6 @@ if settings.DEBUG:
    if settings.REST_ENABLED:
        from django.views.generic import TemplateView
        from rest_framework.schemas import get_schema_view
        urlpatterns += [
            path(
                "swagger/",
--- a/ram/ram/views.py
+++ b/ram/ram/views.py
@@ -9,7 +9,6 @@ from django.apps import apps
 from django.conf import settings
 from django.http import (
    Http404,
    HttpResponse,
    HttpResponseBadRequest,
    HttpResponseForbidden,
    FileResponse,
@@ -77,7 +76,7 @@ class UploadImage(View):
 class DownloadFile(View):
-    def get(self, request, filename, disposition="inline"):
+    def get(self, request, filename):
        # Clean up the filename to prevent directory traversal attacks
        filename = os.path.basename(filename)
@@ -88,33 +87,15 @@ class DownloadFile(View):
                try:
                    doc = model.objects.get(file__endswith=filename)
                    if doc.private and not request.user.is_staff:
-                        break
+                        raise Http404("File not found")
-                    file = doc.file
+                    file_path = doc.file.path
-                    if not os.path.exists(file.path):
+                    if not os.path.exists(file_path):
-                        break
+                        raise Http404("File not found")
                    # in Nginx config, we need to map /private/ to
                    # the actual media files location with internal directive
                    # eg:
                    #   location /private {
                    #       internal;
                    #       alias /path/to/media;
                    #   }
                    if getattr(settings, "USE_X_ACCEL_REDIRECT", False):
                        response = HttpResponse()
                        response["Content-Type"] = ""
                        response["X-Accel-Redirect"] = f"/private/{file.name}"
                    else:
                        response = FileResponse(
                            open(file.path, "rb"), as_attachment=True
                        )
                    response = FileResponse(open(file_path, "rb"), as_attachment=True)
                    response["Content-Disposition"] = (
-                        '{}; filename="{}"'.format(
+                        f'attachment; filename="{smart_str(os.path.basename(file_path))}"'
                            disposition,
                            smart_str(os.path.basename(file.path))
                        )
                    )
                    return response
                except model.DoesNotExist:
--- a/ram/roster/admin.py
+++ b/ram/roster/admin.py
@@ -53,14 +53,14 @@ class RollingClass(admin.ModelAdmin):
 class RollingStockDocInline(admin.TabularInline):
    model = RollingStockDocument
    min_num = 0
-    extra = 1
+    extra = 0
    classes = ["collapse"]
 class RollingStockImageInline(SortableInlineAdminMixin, admin.TabularInline):
    model = RollingStockImage
    min_num = 0
-    extra = 1
+    extra = 0
    readonly_fields = ("image_thumbnail",)
    classes = ["collapse"]