From e6d434654de6acad7d59ce4d7005c0f1cadb398e Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sun, 24 Jul 2022 08:56:31 +0200
Subject: [PATCH] backport from main

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 cmd/initprovider.go            |  5 +++++
 common/dataretention.go        |  2 +-
 common/protocol_test.go        |  2 +-
 dataprovider/actions.go        |  1 +
 dataprovider/dataprovider.go   | 28 ++++++++++++++++++++++++++--
 dataprovider/memory.go         |  2 +-
 docs/custom-actions.md         |  2 ++
 docs/full-configuration.md     |  2 +-
 httpd/api_folder.go            | 10 ++++++++--
 httpd/api_maintenance.go       |  2 +-
 httpd/internal_test.go         | 10 ++++++++++
 httpd/webadmin.go              |  9 +++++++--
 openapi/openapi.yaml           |  2 ++
 templates/webclient/files.html |  2 +-
 14 files changed, 67 insertions(+), 12 deletions(-)

diff --git a/cmd/initprovider.go b/cmd/initprovider.go
index 2984f631..e8dc5ecf 100644
--- a/cmd/initprovider.go
+++ b/cmd/initprovider.go
@@ -48,6 +48,7 @@ To initialize/update the data provider from the configuration directory simply u
 
 $ sftpgo initprovider
 
+Any defined action is ignored.
 Please take a look at the usage below to customize the options.`,
 		Run: func(cmd *cobra.Command, args []string) {
 			logger.DisableLogger()
@@ -65,6 +66,10 @@ Please take a look at the usage below to customize the options.`,
 				os.Exit(1)
 			}
 			providerConf := config.GetProviderConf()
+			// ignore actions
+			providerConf.Actions.Hook = ""
+			providerConf.Actions.ExecuteFor = nil
+			providerConf.Actions.ExecuteOn = nil
 			logger.InfoToConsole("Initializing provider: %#v config file: %#v", providerConf.Driver, viper.ConfigFileUsed())
 			err = dataprovider.InitializeDatabase(providerConf, configDir)
 			if err == nil {
diff --git a/common/dataretention.go b/common/dataretention.go
index 3eee56fb..8bdab706 100644
--- a/common/dataretention.go
+++ b/common/dataretention.go
@@ -262,7 +262,7 @@ func (c *RetentionCheck) cleanupFolder(folderPath string) error {
 		result.Elapsed = time.Since(startTime)
 		result.Info = "data retention check skipped: no permissions"
 		c.conn.Log(logger.LevelInfo, "user %#v does not have permissions to check retention on %#v, retention check skipped",
-			c.conn.User, folderPath)
+			c.conn.User.Username, folderPath)
 		return nil
 	}
 
diff --git a/common/protocol_test.go b/common/protocol_test.go
index 6c46360f..38417611 100644
--- a/common/protocol_test.go
+++ b/common/protocol_test.go
@@ -2713,7 +2713,7 @@ func TestDelayedQuotaUpdater(t *testing.T) {
 		Name:       "folder",
 		MappedPath: filepath.Join(os.TempDir(), "p"),
 	}
-	err = dataprovider.AddFolder(&folder)
+	err = dataprovider.AddFolder(&folder, "", "")
 	assert.NoError(t, err)
 
 	err = dataprovider.UpdateVirtualFolderQuota(&folder, 10, 6000, false)
diff --git a/dataprovider/actions.go b/dataprovider/actions.go
index 6f2b09a5..3415fc5d 100644
--- a/dataprovider/actions.go
+++ b/dataprovider/actions.go
@@ -43,6 +43,7 @@ const (
 
 const (
 	actionObjectUser   = "user"
+	actionObjectFolder = "folder"
 	actionObjectGroup  = "group"
 	actionObjectAdmin  = "admin"
 	actionObjectAPIKey = "api_key"
diff --git a/dataprovider/dataprovider.go b/dataprovider/dataprovider.go
index bdbf3a2b..75b7b6cc 100644
--- a/dataprovider/dataprovider.go
+++ b/dataprovider/dataprovider.go
@@ -250,6 +250,24 @@ type PasswordValidation struct {
 	Users PasswordValidationRules `json:"users" mapstructure:"users"`
 }
 
+type wrappedFolder struct {
+	Folder vfs.BaseVirtualFolder
+}
+
+func (w *wrappedFolder) RenderAsJSON(reload bool) ([]byte, error) {
+	if reload {
+		folder, err := provider.getFolderByName(w.Folder.Name)
+		if err != nil {
+			providerLog(logger.LevelError, "unable to reload folder before rendering as json: %v", err)
+			return nil, err
+		}
+		folder.PrepareForRendering()
+		return json.Marshal(folder)
+	}
+	w.Folder.PrepareForRendering()
+	return json.Marshal(w.Folder)
+}
+
 // ObjectsActions defines the action to execute on user create, update, delete for the specified objects
 type ObjectsActions struct {
 	// Valid values are add, update, delete. Empty slice to disable
@@ -1773,15 +1791,20 @@ func GetUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {
 }
 
 // AddFolder adds a new virtual folder.
-func AddFolder(folder *vfs.BaseVirtualFolder) error {
+func AddFolder(folder *vfs.BaseVirtualFolder, executor, ipAddress string) error {
 	folder.Name = config.convertName(folder.Name)
-	return provider.addFolder(folder)
+	err := provider.addFolder(folder)
+	if err == nil {
+		executeAction(operationAdd, executor, ipAddress, actionObjectFolder, folder.Name, &wrappedFolder{Folder: *folder})
+	}
+	return err
 }
 
 // UpdateFolder updates the specified virtual folder
 func UpdateFolder(folder *vfs.BaseVirtualFolder, users []string, groups []string, executor, ipAddress string) error {
 	err := provider.updateFolder(folder)
 	if err == nil {
+		executeAction(operationUpdate, executor, ipAddress, actionObjectFolder, folder.Name, &wrappedFolder{Folder: *folder})
 		usersInGroups, errGrp := provider.getUsersInGroups(groups)
 		if errGrp == nil {
 			users = append(users, usersInGroups...)
@@ -1812,6 +1835,7 @@ func DeleteFolder(folderName, executor, ipAddress string) error {
 	}
 	err = provider.deleteFolder(folder)
 	if err == nil {
+		executeAction(operationDelete, executor, ipAddress, actionObjectFolder, folder.Name, &wrappedFolder{Folder: folder})
 		users := folder.Users
 		usersInGroups, errGrp := provider.getUsersInGroups(folder.Groups)
 		if errGrp == nil {
diff --git a/dataprovider/memory.go b/dataprovider/memory.go
index e73d88ca..bb83b9da 100644
--- a/dataprovider/memory.go
+++ b/dataprovider/memory.go
@@ -2007,7 +2007,7 @@ func (p *MemoryProvider) restoreFolders(dump *BackupData) error {
 			}
 		} else {
 			folder.Users = nil
-			err = AddFolder(&folder)
+			err = AddFolder(&folder, ActionExecutorSystem, "")
 			if err != nil {
 				providerLog(logger.LevelError, "error adding folder %#v: %v", folder.Name, err)
 				return err
diff --git a/docs/custom-actions.md b/docs/custom-actions.md
index 36fc0167..d9aa6409 100644
--- a/docs/custom-actions.md
+++ b/docs/custom-actions.md
@@ -83,6 +83,8 @@ The `actions` struct inside the `data_provider` configuration section allows you
 The supported object types are:
 
 - `user`
+- `folder`
+- `group`
 - `admin`
 - `api_key`
 
diff --git a/docs/full-configuration.md b/docs/full-configuration.md
index 2fee4ec9..3a452f68 100644
--- a/docs/full-configuration.md
+++ b/docs/full-configuration.md
@@ -220,7 +220,7 @@ The configuration file contains the following sections:
   - `users_base_dir`, string. Users default base directory. If no home dir is defined while adding a new user, and this value is a valid absolute path, then the user home dir will be automatically defined as the path obtained joining the base dir and the username
   - `actions`, struct. It contains the command to execute and/or the HTTP URL to notify and the trigger conditions. See [Custom Actions](./custom-actions.md) for more details
     - `execute_on`, list of strings. Valid values are `add`, `update`, `delete`. `update` action will not be fired for internal updates such as the last login or the user quota fields.
-    - `execute_for`, list of strings. Defines the provider objects that trigger the action. Valid values are `user`, `admin`, `api_key`.
+    - `execute_for`, list of strings. Defines the provider objects that trigger the action. Valid values are `user`, `folder`, `group`, `admin`, `api_key`, `share`.
     - `hook`, string. Absolute path to the command to execute or HTTP URL to notify.
   - `external_auth_hook`, string. Absolute path to an external program or an HTTP URL to invoke for users authentication. See [External Authentication](./external-auth.md) for more details. Leave empty to disable.
   - `external_auth_scope`, integer. 0 means all supported authentication scopes (passwords, public keys and keyboard interactive). 1 means passwords only. 2 means public keys only. 4 means key keyboard interactive only. 8 means TLS certificate. The flags can be combined, for example 6 means public keys and keyboard interactive
diff --git a/httpd/api_folder.go b/httpd/api_folder.go
index 6a237712..37d561e6 100644
--- a/httpd/api_folder.go
+++ b/httpd/api_folder.go
@@ -42,13 +42,19 @@ func getFolders(w http.ResponseWriter, r *http.Request) {
 
 func addFolder(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+
 	var folder vfs.BaseVirtualFolder
-	err := render.DecodeJSON(r.Body, &folder)
+	err = render.DecodeJSON(r.Body, &folder)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
 		return
 	}
-	err = dataprovider.AddFolder(&folder)
+	err = dataprovider.AddFolder(&folder, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
diff --git a/httpd/api_maintenance.go b/httpd/api_maintenance.go
index 049f82d9..b6598510 100644
--- a/httpd/api_maintenance.go
+++ b/httpd/api_maintenance.go
@@ -251,7 +251,7 @@ func RestoreFolders(folders []vfs.BaseVirtualFolder, inputFile string, mode, sca
 			logger.Debug(logSender, "", "restoring existing folder %#v, dump file: %#v, error: %v", folder.Name, inputFile, err)
 		} else {
 			folder.Users = nil
-			err = dataprovider.AddFolder(&folder)
+			err = dataprovider.AddFolder(&folder, executor, ipAddress)
 			logger.Debug(logSender, "", "adding new folder %#v, dump file: %#v, error: %v", folder.Name, inputFile, err)
 		}
 		if err != nil {
diff --git a/httpd/internal_test.go b/httpd/internal_test.go
index 29a7bc4d..ffcf6747 100644
--- a/httpd/internal_test.go
+++ b/httpd/internal_test.go
@@ -580,6 +580,11 @@ func TestInvalidToken(t *testing.T) {
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 	assert.Contains(t, rr.Body.String(), "invalid token claims")
 
+	rr = httptest.NewRecorder()
+	addFolder(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
 	rr = httptest.NewRecorder()
 	updateFolder(rr, req)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
@@ -590,6 +595,11 @@ func TestInvalidToken(t *testing.T) {
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 	assert.Contains(t, rr.Body.String(), "Invalid token claims")
 
+	rr = httptest.NewRecorder()
+	server.handleWebAddFolderPost(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "invalid token claims")
+
 	rr = httptest.NewRecorder()
 	server.handleWebUpdateFolderPost(rr, req)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
diff --git a/httpd/webadmin.go b/httpd/webadmin.go
index 016f6ade..0a35f607 100644
--- a/httpd/webadmin.go
+++ b/httpd/webadmin.go
@@ -2267,8 +2267,13 @@ func (s *httpdServer) handleWebAddFolderGet(w http.ResponseWriter, r *http.Reque
 
 func (s *httpdServer) handleWebAddFolderPost(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		s.renderBadRequestPage(w, r, errors.New("invalid token claims"))
+		return
+	}
 	folder := vfs.BaseVirtualFolder{}
-	err := r.ParseMultipartForm(maxRequestSize)
+	err = r.ParseMultipartForm(maxRequestSize)
 	if err != nil {
 		s.renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
 		return
@@ -2291,7 +2296,7 @@ func (s *httpdServer) handleWebAddFolderPost(w http.ResponseWriter, r *http.Requ
 	folder.FsConfig = fsConfig
 	folder = getFolderFromTemplate(folder, folder.Name)
 
-	err = dataprovider.AddFolder(&folder)
+	err = dataprovider.AddFolder(&folder, claims.Username, ipAddr)
 	if err == nil {
 		http.Redirect(w, r, webFoldersPath, http.StatusSeeOther)
 	} else {
diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml
index 85afde98..56b1433f 100644
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@@ -4635,6 +4635,8 @@ components:
       type: string
       enum:
         - user
+        - folder
+        - group
         - admin
         - api_key
         - share
diff --git a/templates/webclient/files.html b/templates/webclient/files.html
index 217184ae..434bcef5 100644
--- a/templates/webclient/files.html
+++ b/templates/webclient/files.html
@@ -1047,7 +1047,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                                     case "svg":
                                     case "ico":
                                         var view_url = row['url']+"&inline=1";
-                                        return `<a href="${view_url}" data-lightbox="${filename}" data-title="${filename}"><i class="fas fa-eye"></i></a>`;
+                                        return `<a href="${view_url}" data-lightbox="image-gallery" data-title="${filename}"><i class="fas fa-eye"></i></a>`;
                                     case "mp4":
                                     case "mov":
                                         return `<a href="#" onclick="openVideoPlayer('${row["name"]}', '${row['url']}', 'video/mp4');"><i class="fas fa-eye"></i></a>`;