fix(2.2.x backport): respect upload and directory listing permissions

[fdintino]

Backport the patch from #1352 to the release/2.2.x branch. It looks like it was accidentally only cherry-picked onto the release/2.x branch, which wasn't used to make subsequent releases.

would fix #1526 after it is merged and a 2.2.8 release is made.

Summary by Sourcery

Backport enforcement of upload and directory listing permissions to the 2.2.x branch by adding permission checks in admin views and model methods, localizing error messages, and expanding tests to cover these behaviors.

Enhancements:

• Enforce ‘filer.add_file’ permission in ajax_upload and add-children checks before allowing file uploads
• Require ‘filer.change_file’ and ‘filer.change_folder’ permissions in model methods for editing and adding children
• Restrict directory listing admin view to users with ‘filer.can_use_directory_listing’ permission
• Localize admin error messages for missing folder and permission errors

Tests:

• Refactor file-handling tests to use context managers for opening files
• Add tests for upload permission denial, has_add_children_permission behavior, and directory listing restrictions
• Ensure users without necessary file or folder permissions receive proper error responses
• Update test_tools to close opened files

Chores:

• Backport changes from release/2.x to release/2.2.x to align with subsequent releases

[sourcery-ai]

Reviewer's Guide

Backports patch #1352 to release/2.2.x by enforcing Django object permissions on file uploads and directory listing, updating model permission checks to require relevant add/change permissions, localizing admin error messages, and adjusting tests to use context managers and cover new permission scenarios.

File-Level Changes

Change	Details	Files
Enforce upload and directory listing permission checks and localize admin messages	Check request.user.has_perm('filer.add_file') at start of ajax_upload Abort with JsonResponse and messages.error on missing upload or folder permissions Restrict directory_listing to users with 'filer.can_use_directory_listing', raising PermissionDenied Wrap NO_FOLDER_ERROR and NO_PERMISSIONS_FOR_FOLDER in gettext and introduce NO_PERMISSIONS constant	filer/admin/clipboardadmin.py filer/admin/folderadmin.py
Strengthen model permission methods to include Django object permissions	Require 'filer.change_file' in File.has_edit_permission and 'filer.add_file' for add_children Require 'filer.change_folder' in Folder.has_edit_permission and add_children	filer/models/filemodels.py filer/models/foldermodels.py
Adjust test suite for resource handling and new permission logic	Replace raw open() calls with with-open context managers across tests Add and update tests for upload permissions (with/without add_file), directory_listing permission, and has_add_children methods Grant necessary permissions in test setUp (add_file, view_folder, add_folder, can_use_directory_listing)	tests/test_admin.py tests/test_dump.py tests/test_permissions.py tests/test_tools.py

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#1526	Backport the security patch from #1352 to the 2.2.x release branch to address the missing permission check in filer.admin.clipboardadmin.ajax_upload.	✅

Possibly linked issues

• 2.2.x releases don't actually have admin permission security patch #1526: The PR backports the missing security patch from fix: respect upload and directory listing permissions #1352 by adding permission checks to ajax_upload and updating permission methods to fix the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[fsbraun]

@fdintino Thank you very much for the PR! Can you update the .github/workflows/test.yml file and replace the ubuntu-20.04 runner by ubuntu-latst to allow the CI to run?