protect _admin/

app/index.html

@@ -119,6 +119,9 @@
                     </li>
                 </ol>
             </div>
+            <div class="col-lg-12" style="text-align: right;">
+                <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
+            </div>
             <div class="col-lg-12">
                 <table class="table table-hover table-condensed">
                     <thead>
@@ -150,9 +153,6 @@
                     </tbody>
                 </table>
             </div>
-            <div class="col-lg-12" style="text-align: right;">
-                <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
-            </div>
         </div>
     </div>
 

cli/actions.js

@@ -119,8 +119,9 @@ function put(filePath, otherFilePaths, options) {
         console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan);
 
         superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) {
+            if (result && result.statusCode === 403) return callback(new Error('Upload destination ' + destinationPath + ' not allowed'));
+            if (result && result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
             if (error) return callback(error);
-            if (result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
 
             console.log('Uploaded to ' + config.server() + destinationPath);
 
@@ -128,7 +129,7 @@ function put(filePath, otherFilePaths, options) {
         });
     }, function (error) {
         if (error) {
-            console.log('Failed to put file.', error);
+            console.log('Failed to put file.', error.message.red);
             process.exit(1);
         }
 
@@ -143,9 +144,9 @@ function get(filePath) {
     filePath = filePath || '/';
 
     request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) {
+        if (result && result.statusCode === 401) return console.log('Login failed');
+        if (result && result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
         if (error) return console.error(error);
-        if (result.statusCode === 401) return console.log('Login failed');
-        if (result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
 
         // 222 indicates directory listing
         if (result.statusCode === 222) {

src/files.js

@@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) {
     });
 }
 
+function isProtected(targetPath) {
+    return targetPath.indexOf(getAbsolutePath('_admin')) === 0;
+}
+
 function getAbsolutePath(filePath) {
     var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
 
@@ -114,7 +118,7 @@ function put(req, res, next) {
     if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory'));
 
     var absoluteFilePath = getAbsolutePath(filePath);
-    if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed'));
+    if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
 
     fs.stat(absoluteFilePath, function (error, result) {
         if (error && error.code !== 'ENOENT') return next(new HttpError(500, error));
@@ -148,6 +152,8 @@ function del(req, res, next) {
     var absoluteFilePath = getAbsolutePath(filePath);
     if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
 
+    if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
+
     // absoltueFilePath has to have the base path prepended
     if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found'));