From 2e72e30413f5d32cb69ad2ed5ff4ef0a3c528c79 Mon Sep 17 00:00:00 2001
From: "Kevin S. Hahn" <kevinshahn@gmail.com>
Date: Mon, 23 Mar 2015 14:50:31 -0700
Subject: [PATCH] adds perms check to targetted attachment upload

- works on #15
---
 containers.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/containers.py b/containers.py
index 3f1e859a..3f7198a7 100644
--- a/containers.py
+++ b/containers.py
@@ -285,9 +285,13 @@ class Container(base.RequestHandler):
         # first line is 'content-disposition' line, extract filename
         # second line is content-type, determine how to write to a file, as bytes or as string
         # third linedata_path = self.app.config['data_path'], just a separator, useless
+        if self.request.content_type != 'multipart/form-data':
+            self.abort(400, 'content-type must be "multipart/form-data"')
+        # TODO: metadata validation
+        _id = bson.ObjectId(cid)
+        container, _ = self._get(_id, 'rw')
         data_path = self.app.config['data_path']
         quarantine_path = self.app.config['quarantine_path']
-        _id = bson.ObjectId(cid)
         hashes = []
         with tempfile.TemporaryDirectory(prefix='.tmp', dir=self.app.config['data_path']) as tempdir_path:
             # get and hash the metadata
-- 
GitLab