From 7d502441a6bd210aff8a8625ee87ea5a1fbbd7ee Mon Sep 17 00:00:00 2001
From: Julian Hurst <ark@mansus.space>
Date: Fri, 13 Jan 2023 14:50:04 +0100
Subject: Security for /download and frontend style improvements

---
 main.go                   | 71 ++++++++++++++++++++++++++++++++++-------------
 static/style.css          | 59 ++++++++++++++++++++++++++++++++++++++-
 templates/base.html       |  2 ++
 templates/createuser.html | 24 ++++++++--------
 templates/index.html      | 12 ++++----
 templates/login.html      | 18 ++++++------
 templates/nav.html        | 10 ++++---
 templates/nav_logged.html |  8 ++++--
 templates/user.html       | 21 ++++++++------
 9 files changed, 158 insertions(+), 67 deletions(-)

diff --git a/main.go b/main.go
index 7681c86..4ece388 100644
--- a/main.go
+++ b/main.go
@@ -356,33 +356,64 @@ func handleFileServer(dir, prefix string) http.HandlerFunc {
 }
 
 func download(w http.ResponseWriter, r *http.Request) {
-	switch r.Method {
-	case http.MethodPost:
-		r.ParseForm()
-		selection := r.Form["selection"]
-		if len(selection) == 0 {
-			sendFlashError(w, r, "/", errors.New("Aucun fichier sélectionné"))
-			return
-		}
-		contentDisposition := fmt.Sprintf("attachment; filename=\"Documents.zip\"")
-		w.Header().Set("Content-Disposition", contentDisposition)
-		wr := zip.NewWriter(w)
-		defer wr.Close()
-		for _, sel := range selection {
-			wrc, err := wr.Create(filepath.Base(sel))
-			if err != nil {
-				sendError(w, r, err.Error(), http.StatusInternalServerError)
+	u, err := checkSession(w, r)
+	if u != nil && err == nil {
+		switch r.Method {
+		case http.MethodPost:
+			r.ParseForm()
+			selection := r.Form["selection"]
+			if len(selection) == 0 {
+				sendFlashError(w, r, "/", errors.New("Aucun fichier sélectionné"))
 				return
 			}
-			f, err := os.Open(sel)
+			contentDisposition := fmt.Sprintf("attachment; filename=\"Documents.zip\"")
+			w.Header().Set("Content-Disposition", contentDisposition)
+			wr := zip.NewWriter(w)
+			defer wr.Close()
+			for _, sel := range selection {
+				if filepath.Base(filepath.Dir(sel)) == u.User {
+					wrc, err := wr.Create(filepath.Base(sel))
+					if err != nil {
+						sendError(w, r, err.Error(), http.StatusInternalServerError)
+						return
+					}
+					f, err := os.Open(sel)
+					if err != nil {
+						sendError(w, r, err.Error(), http.StatusInternalServerError)
+						return
+					}
+					io.Copy(wrc, f)
+				}
+			}
+		case http.MethodGet:
+			contentDisposition := fmt.Sprintf("attachment; filename=\"Documents.zip\"")
+			w.Header().Set("Content-Disposition", contentDisposition)
+			wr := zip.NewWriter(w)
+			defer wr.Close()
+			files, err := os.ReadDir(filepath.Join(baseDocDir, u.User))
 			if err != nil {
 				sendError(w, r, err.Error(), http.StatusInternalServerError)
 				return
 			}
-			io.Copy(wrc, f)
+			for _, file := range files {
+				filePath := path.Join(baseDocDir, u.User, file.Name())
+				wrc, err := wr.Create(filepath.Base(filePath))
+				if err != nil {
+					sendError(w, r, err.Error(), http.StatusInternalServerError)
+					return
+				}
+				f, err := os.Open(filePath)
+				if err != nil {
+					sendError(w, r, err.Error(), http.StatusInternalServerError)
+					return
+				}
+				io.Copy(wrc, f)
+			}
+		default:
+			sendInvalidMethod(w, r)
 		}
-	default:
-		sendInvalidMethod(w, r)
+	} else {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
 	}
 }
 
diff --git a/static/style.css b/static/style.css
index 4db3552..42ae410 100644
--- a/static/style.css
+++ b/static/style.css
@@ -1,16 +1,73 @@
+body {
+	margin: 0;
+}
+
 .error {
 	color: red;
 }
 
-div {
+div.content {
 	padding: 5px;
+	margin: 8px;
+}
+
+nav {
+	border-bottom: 1px solid black;
+	/*padding-left: 8px;*/
+}
+
+ul.nav {
+	display: inline-flex;
+	margin: 0;
+	padding: 0;
+	width: 100%;
+}
+
+ul.nav li {
+	display: inline-block;
+	padding: 5px;
+	/*padding-right: 5px;
+	padding-left: 5px;
+	width: 150px;*/
+	width: 50%;
+	text-align: center;
+	background: lightgrey;
+	border-right: 1px solid black;
+}
+
+ul.nav li:hover {
+	background: grey;
+}
+
+ul.nav li a {
+	display: block;
+	width: 100%;
+	height: 100%;
+}
+
+div.docs {
+	overflow: scroll;
 }
 
 table {
 	border-collapse: collapse;
+	/*table-layout: fixed;*/
 }
 
 td, th {
 	border: 1px solid black;
 	padding: 10px;
 }
+
+td.filename {
+	overflow: scroll;
+	white-space: nowrap;
+}
+
+form.inline {
+	display: inline;
+}
+
+form.inlineblk {
+	display: inline-block;
+}
diff --git a/templates/base.html b/templates/base.html
index 0c743ed..c2ca497 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -7,7 +7,9 @@
 	</head>
 	<body>
 		{{block "nav" .}}{{end}}
+		<div class="content">
 		{{block "content" .}}
 		{{end}}
+		</div>
 	</body>
 </html>
diff --git a/templates/createuser.html b/templates/createuser.html
index 1a06fa0..ee4858b 100644
--- a/templates/createuser.html
+++ b/templates/createuser.html
@@ -1,17 +1,15 @@
 {{define "title"}}Créer un compte utilisateur{{end}}
 {{define "content"}}
 <h1>Créer un compte utilisateur</h1>
-<div>
-	{{if .Error}}
-	<p class="error">{{.Error}}</p>
-	{{end}}
-	<form action="/createuser" method="POST">
-		<span>Pour des raisons de sécurité, le mot de passe doit avoir une longeur supérieure ou égale à 10 caractères.<br/><br/>
-		<input required type="text" name="user" id="user" placeholder="Nom d'utilisateur"><br/><br/>
-		<input required type="email" name="email" id="email" placeholder="Email"><br/><br/>
-		<input required type="password" name="pass" id="pass" placeholder="Mot de passe" minlength="10"><br/><br/>
-		<input required type="password" name="cpass" id="cpass" placeholder="Confirmation du mot de passe" minlength="10"><br/><br/>
-		<input type="submit" value="Créer">
-	</form>
-</div>
+{{if .Error}}
+<p class="error">{{.Error}}</p>
+{{end}}
+<form action="/createuser" method="POST">
+	<span>Pour des raisons de sécurité, le mot de passe doit avoir une longeur supérieure ou égale à 10 caractères.<br/><br/>
+	<input required type="text" name="user" id="user" placeholder="Nom d'utilisateur"><br/><br/>
+	<input required type="email" name="email" id="email" placeholder="Email"><br/><br/>
+	<input required type="password" name="pass" id="pass" placeholder="Mot de passe" minlength="10"><br/><br/>
+	<input required type="password" name="cpass" id="cpass" placeholder="Confirmation du mot de passe" minlength="10"><br/><br/>
+	<input type="submit" value="Créer">
+</form>
 {{end}}
diff --git a/templates/index.html b/templates/index.html
index 01f7d72..860bce2 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -1,10 +1,8 @@
 {{define "title"}}Acceuil{{end}}
 {{define "content"}}
-<div>
-	<ul>
-		<li>
-			<a href="/login">Connexion</a>
-		</li>
-	</ul>
-</div>
+<ul>
+	<li>
+		<a href="/login">Connexion</a>
+	</li>
+</ul>
 {{end}}
diff --git a/templates/login.html b/templates/login.html
index 6a09dd7..e1b4c44 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -1,14 +1,12 @@
 {{define "title"}}Connexion{{end}}
 {{define "content"}}
 <h1>Connexion</h1>
-<div>
-	{{if .Error}}
-	<p class="error">{{.Error}}</p>
-	{{end}}
-	<form action="/login" method="POST">
-		<input type="text" name="user" id="user" placeholder="Nom d'utilisateur"><br/><br/>
-		<input type="password" name="pass" id="pass" placeholder="Mot de passe"><br/><br/>
-		<input type="submit" value="Connexion">
-	</form>
-</div>
+{{if .Error}}
+<p class="error">{{.Error}}</p>
+{{end}}
+<form action="/login" method="POST">
+	<input type="text" name="user" id="user" placeholder="Nom d'utilisateur"><br/><br/>
+	<input type="password" name="pass" id="pass" placeholder="Mot de passe"><br/><br/>
+	<input type="submit" value="Connexion">
+</form>
 {{end}}
diff --git a/templates/nav.html b/templates/nav.html
index 432ddec..f8e7b7f 100644
--- a/templates/nav.html
+++ b/templates/nav.html
@@ -1,8 +1,10 @@
 {{define "nav"}}
 <nav>
-	<a href="/admin">Admin</a> |
-	<a href="/">Accueil</a> |
-	<a href="/login">Se connecter</a> |
-	<a href="/createuser">Créer un compte</a>
+	<ul class="nav">
+		<!--<li><a href="/admin">Admin</a></li>
+		<li><a href="/">Accueil</a></li>-->
+		<li><a href="/login">Se connecter</a></li>
+		<li><a href="/createuser">Créer un compte</a></li>
+	</ul>
 </nav>
 {{end}}
diff --git a/templates/nav_logged.html b/templates/nav_logged.html
index 9e88507..a62585f 100644
--- a/templates/nav_logged.html
+++ b/templates/nav_logged.html
@@ -1,7 +1,9 @@
 {{define "nav"}}
 <nav>
-	<a href="/admin">Admin</a> |
-	<a href="/">Accueil</a> |
-	<a href="/logout">Se déconnecter</a>
+	<ul class="nav">
+		<!--<li><a href="/admin">Admin</a></li>-->
+		<li><a href="/">Accueil</a></li>
+		<li><a href="/logout">Se déconnecter</a></li>
+	</ul>
 </nav>
 {{end}}
diff --git a/templates/user.html b/templates/user.html
index f37c2fb..f116286 100644
--- a/templates/user.html
+++ b/templates/user.html
@@ -1,16 +1,16 @@
 {{define "title"}}Acceuil{{end}}
 {{define "content"}}
-<h1>Espace utilisateur</h1>
-<h2>Documents</h2>
-{{if .Error}}
-<p class="error">{{.Error}}</p>
-{{end}}
-<div>
+	<h1>Espace utilisateur</h1>
+	<h2>Documents</h2>
+	{{if .Error}}
+	<p class="error">{{.Error}}</p>
+	{{end}}
 	<form action="/upload" method="POST" enctype="multipart/form-data">
 		<input type="file" name="files" multiple />
 		<input type="submit" value="Upload" />
 	</form>
-	<form action="/download" method="POST">
+	<form action="/download" method="POST" class="inline">
+		<div class="docs">
 		<table>
 			<tr>
 				<th></th>
@@ -23,7 +23,7 @@
 				<td>
 					<input type="checkbox" name="selection" value="{{.Link}}">
 				</td>
-				<td>
+				<td class="filename">
 					<a href="{{.Link}}">{{.Name}}</a>
 				</td>
 				<td>
@@ -35,8 +35,11 @@
 			</tr>
 			{{end}}
 		</table>
+		</div>
 		<br/>
 		<input type="submit" value="Télécharger les fichiers sélectionnés">
 	</form>
-</div>
+	<form action="/download" method="GET" class="inlineblk">
+		<input type="submit" value="Télécharger tous les fichiers">
+	</form>
 {{end}}
-- 
cgit v1.2.3