feat: v2 (#599)

Read https://github.com/filebrowser/filebrowser/pull/575.
2019-01-05 22:44:33 +00:00
parent 013ddf45c7
commit d309066def
121 changed files with 5410 additions and 4697 deletions
@@ -0,0 +1,180 @@
+package http
+
+import (
+	"encoding/json"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/dgrijalva/jwt-go/request"
+	"github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+type userInfo struct {
+	ID           uint              `json:"id"`
+	Locale       string            `json:"locale"`
+	ViewMode     users.ViewMode    `json:"viewMode"`
+	Perm         users.Permissions `json:"perm"`
+	Commands     []string          `json:"commands"`
+	LockPassword bool              `json:"lockPassword"`
+}
+
+type authToken struct {
+	User userInfo `json:"user"`
+	jwt.StandardClaims
+}
+
+type extractor []string
+
+func (e extractor) ExtractToken(r *http.Request) (string, error) {
+	token, _ := request.AuthorizationHeaderExtractor.ExtractToken(r)
+
+	// Checks if the token isn't empty and if it contains two dots.
+	// The former prevents incompatibility with URLs that previously
+	// used basic auth.
+	if token != "" && strings.Count(token, ".") == 2 {
+		return token, nil
+	}
+
+	auth := r.URL.Query().Get("auth")
+	if auth == "" {
+		return "", request.ErrNoTokenInRequest
+	}
+
+	return auth, nil
+}
+
+func withUser(fn handleFunc) handleFunc {
+	return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+		keyFunc := func(token *jwt.Token) (interface{}, error) {
+			return d.settings.Key, nil
+		}
+
+		var tk authToken
+		token, err := request.ParseFromRequestWithClaims(r, &extractor{}, &tk, keyFunc)
+
+		if err != nil || !token.Valid {
+			return http.StatusForbidden, nil
+		}
+
+		expired := !tk.VerifyExpiresAt(time.Now().Add(time.Hour).Unix(), true)
+		updated := d.store.Users.LastUpdate(tk.User.ID) > tk.IssuedAt
+
+		if expired || updated {
+			w.Header().Add("X-Renew-Token", "true")
+		}
+
+		d.user, err = d.store.Users.Get(tk.User.ID)
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+		return fn(w, r, d)
+	}
+}
+
+func withAdmin(fn handleFunc) handleFunc {
+	return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+		if !d.user.Perm.Admin {
+			return http.StatusForbidden, nil
+		}
+
+		return fn(w, r, d)
+	})
+}
+
+var loginHandler = func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	auther, err := d.store.Auth.Get(d.settings.AuthMethod)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	user, err := auther.Auth(r)
+	if err == os.ErrPermission {
+		return http.StatusForbidden, nil
+	} else if err != nil {
+		return http.StatusInternalServerError, err
+	} else {
+		return printToken(w, r, d, user)
+	}
+}
+
+type signupBody struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+var signupHandler = func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if !d.settings.Signup {
+		return http.StatusMethodNotAllowed, nil
+	}
+
+	if r.Body == nil {
+		return http.StatusBadRequest, nil
+	}
+
+	info := &signupBody{}
+	err := json.NewDecoder(r.Body).Decode(info)
+	if err != nil {
+		return http.StatusBadRequest, err
+	}
+
+	if info.Password == "" || info.Username == "" {
+		return http.StatusBadRequest, nil
+	}
+
+	user := &users.User{
+		Username: info.Username,
+	}
+
+	d.settings.Defaults.Apply(user)
+
+	pwd, err := users.HashPwd(info.Password)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	user.Password = pwd
+	err = d.store.Users.Save(user)
+	if err == errors.ErrExist {
+		return http.StatusConflict, err
+	} else if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	return http.StatusOK, nil
+}
+
+var renewHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	return printToken(w, r, d, d.user)
+})
+
+func printToken(w http.ResponseWriter, r *http.Request, d *data, user *users.User) (int, error) {
+	claims := &authToken{
+		User: userInfo{
+			ID:           user.ID,
+			Locale:       user.Locale,
+			ViewMode:     user.ViewMode,
+			Perm:         user.Perm,
+			LockPassword: user.LockPassword,
+			Commands:     user.Commands,
+		},
+		StandardClaims: jwt.StandardClaims{
+			IssuedAt:  time.Now().Unix(),
+			ExpiresAt: time.Now().Add(time.Hour * 2).Unix(),
+			Issuer:    "File Browser",
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	signed, err := token.SignedString(d.settings.Key)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	w.Header().Set("Content-Type", "cty")
+	w.Write([]byte(signed))
+	return 0, nil
+}
@@ -0,0 +1,104 @@
+package http
+
+import (
+	"bufio"
+	"io"
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/filebrowser/filebrowser/v2/runner"
+	"github.com/gorilla/websocket"
+)
+
+var upgrader = websocket.Upgrader{
+	ReadBufferSize:  1024,
+	WriteBufferSize: 1024,
+}
+
+var (
+	cmdNotAllowed = []byte("Command not allowed.")
+)
+
+func wsErr(ws *websocket.Conn, r *http.Request, status int, err error) {
+	txt := http.StatusText(status)
+	if err != nil || status >= 400 {
+		log.Printf("%s: %v %s %v", r.URL.Path, status, r.RemoteAddr, err)
+	}
+	ws.WriteControl(websocket.CloseInternalServerErr, []byte(txt), time.Now().Add(10*time.Second))
+}
+
+var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	conn, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+	defer conn.Close()
+
+	var raw string
+
+	for {
+		_, msg, err := conn.ReadMessage()
+		if err != nil {
+			wsErr(conn, r, http.StatusInternalServerError, err)
+			return 0, nil
+		}
+
+		raw = strings.TrimSpace(string(msg))
+		if raw != "" {
+			break
+		}
+	}
+
+	if !d.user.CanExecute(strings.Split(raw, " ")[0]) {
+		err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed)
+		if err != nil {
+			wsErr(conn, r, http.StatusInternalServerError, err)
+		}
+
+		return 0, nil
+	}
+
+	command, err := runner.ParseCommand(d.settings, raw)
+	if err != nil {
+		err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error()))
+		if err != nil {
+			wsErr(conn, r, http.StatusInternalServerError, err)
+		}
+
+		return 0, nil
+	}
+
+	cmd := exec.Command(command[0], command[1:]...)
+	cmd.Dir = d.user.FullPath(r.URL.Path)
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		wsErr(conn, r, http.StatusInternalServerError, err)
+		return 0, nil
+	}
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		wsErr(conn, r, http.StatusInternalServerError, err)
+		return 0, nil
+	}
+
+	if err := cmd.Start(); err != nil {
+		wsErr(conn, r, http.StatusInternalServerError, err)
+		return 0, nil
+	}
+
+	s := bufio.NewScanner(io.MultiReader(stdout, stderr))
+	for s.Scan() {
+		conn.WriteMessage(websocket.TextMessage, s.Bytes())
+	}
+
+	if err := cmd.Wait(); err != nil {
+		wsErr(conn, r, http.StatusInternalServerError, err)
+	}
+
+	return 0, nil
+})
@@ -0,0 +1,70 @@
+package http
+
+import (
+	"log"
+	"net/http"
+	"strconv"
+
+	"github.com/filebrowser/filebrowser/v2/runner"
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/storage"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+type handleFunc func(w http.ResponseWriter, r *http.Request, d *data) (int, error)
+
+type data struct {
+	*runner.Runner
+	settings *settings.Settings
+	store    *storage.Storage
+	user     *users.User
+	raw      interface{}
+}
+
+// Check implements rules.Checker.
+func (d *data) Check(path string) bool {
+	for _, rule := range d.user.Rules {
+		if rule.Matches(path) {
+			return rule.Allow
+		}
+	}
+
+	for _, rule := range d.settings.Rules {
+		if rule.Matches(path) {
+			return rule.Allow
+		}
+	}
+
+	return true
+}
+
+func handle(fn handleFunc, prefix string, storage *storage.Storage) http.Handler {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		settings, err := storage.Settings.Get()
+		if err != nil {
+			log.Fatalln("ERROR: couldn't get settings")
+			return
+		}
+
+		status, err := fn(w, r, &data{
+			Runner:   &runner.Runner{Settings: settings},
+			store:    storage,
+			settings: settings,
+		})
+
+		if status != 0 {
+			txt := http.StatusText(status)
+			http.Error(w, strconv.Itoa(status)+" "+txt, status)
+		}
+
+		if status >= 400 || err != nil {
+			log.Printf("%s: %v %s %v", r.URL.Path, status, r.RemoteAddr, err)
+		}
+	})
+
+	if prefix == "" {
+		return handler
+	}
+
+	return http.StripPrefix(prefix, handler)
+}
@@ -0,0 +1,58 @@
+package http
+
+import (
+	"net/http"
+
+	"github.com/filebrowser/filebrowser/v2/storage"
+	"github.com/gorilla/mux"
+)
+
+type modifyRequest struct {
+	What  string   `json:"what"`  // Answer to: what data type?
+	Which []string `json:"which"` // Answer to: which fields?
+}
+
+func NewHandler(storage *storage.Storage) (http.Handler, error) {
+	r := mux.NewRouter()
+
+	index, static := getStaticHandlers(storage)
+
+	r.PathPrefix("/static").Handler(static)
+	r.NotFoundHandler = index
+
+	api := r.PathPrefix("/api").Subrouter()
+
+	api.Handle("/login", handle(loginHandler, "", storage))
+	api.Handle("/signup", handle(signupHandler, "", storage))
+	api.Handle("/renew", handle(renewHandler, "", storage))
+
+	users := api.PathPrefix("/users").Subrouter()
+	users.Handle("", handle(usersGetHandler, "", storage)).Methods("GET")
+	users.Handle("", handle(userPostHandler, "", storage)).Methods("POST")
+	users.Handle("/{id:[0-9]+}", handle(userPutHandler, "", storage)).Methods("PUT")
+	users.Handle("/{id:[0-9]+}", handle(userGetHandler, "", storage)).Methods("GET")
+	users.Handle("/{id:[0-9]+}", handle(userDeleteHandler, "", storage)).Methods("DELETE")
+
+	api.PathPrefix("/resources").Handler(handle(resourceGetHandler, "/api/resources", storage)).Methods("GET")
+	api.PathPrefix("/resources").Handler(handle(resourceDeleteHandler, "/api/resources", storage)).Methods("DELETE")
+	api.PathPrefix("/resources").Handler(handle(resourcePostPutHandler, "/api/resources", storage)).Methods("POST")
+	api.PathPrefix("/resources").Handler(handle(resourcePostPutHandler, "/api/resources", storage)).Methods("PUT")
+	api.PathPrefix("/resources").Handler(handle(resourcePatchHandler, "/api/resources", storage)).Methods("PATCH")
+
+	api.PathPrefix("/share").Handler(handle(shareGetsHandler, "/api/share", storage)).Methods("GET")
+	api.PathPrefix("/share").Handler(handle(sharePostHandler, "/api/share", storage)).Methods("POST")
+	api.PathPrefix("/share").Handler(handle(shareDeleteHandler, "/api/share", storage)).Methods("DELETE")
+
+	api.Handle("/settings", handle(settingsGetHandler, "", storage)).Methods("GET")
+	api.Handle("/settings", handle(settingsPutHandler, "", storage)).Methods("PUT")
+
+	api.PathPrefix("/raw").Handler(handle(rawHandler, "/api/raw", storage)).Methods("GET")
+	api.PathPrefix("/command").Handler(handle(commandsHandler, "/api/command", storage)).Methods("GET")
+	api.PathPrefix("/search").Handler(handle(searchHandler, "/api/search", storage)).Methods("GET")
+	
+	public := api.PathPrefix("/public").Subrouter()
+	public.PathPrefix("/dl").Handler(handle(publicDlHandler, "/api/public/dl/", storage)).Methods("GET")
+	public.PathPrefix("/share").Handler(handle(publicShareHandler, "/api/public/share/", storage)).Methods("GET")
+
+	return r, nil
+}
@@ -0,0 +1,50 @@
+package http
+
+import (
+	"net/http"
+
+	"github.com/filebrowser/filebrowser/v2/files"
+)
+
+var withHashFile = func(fn handleFunc) handleFunc {
+	return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+		link, err := d.store.Share.GetByHash(r.URL.Path)
+		if err != nil {
+			return errToStatus(err), err
+		}
+
+		user, err := d.store.Users.Get(link.UserID)
+		if err != nil {
+			return errToStatus(err), err
+		}
+
+		d.user = user
+
+		file, err := files.NewFileInfo(files.FileOptions{
+			Fs:      d.user.Fs,
+			Path:    link.Path,
+			Modify:  d.user.Perm.Modify,
+			Expand:  false,
+			Checker: d,
+		})
+		if err != nil {
+			return errToStatus(err), err
+		}
+
+		d.raw = file
+		return fn(w, r, d)
+	}
+}
+
+var publicShareHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	return renderJSON(w, r, d.raw)
+})
+
+var publicDlHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	file := d.raw.(*files.FileInfo)
+	if !file.IsDir {
+		return rawFileHandler(w, r, file)
+	}
+
+	return rawDirHandler(w, r, d, file)
+})
@@ -0,0 +1,179 @@
+package http
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"path/filepath"
+	"strings"
+
+	"github.com/filebrowser/filebrowser/v2/files"
+	"github.com/filebrowser/filebrowser/v2/users"
+	"github.com/hacdias/fileutils"
+	"github.com/mholt/archiver"
+)
+
+func parseQueryFiles(r *http.Request, f *files.FileInfo, u *users.User) ([]string, error) {
+	files := []string{}
+	names := strings.Split(r.URL.Query().Get("files"), ",")
+
+	if len(names) == 0 {
+		files = append(files, f.Path)
+	} else {
+		for _, name := range names {
+			name, err := url.QueryUnescape(strings.Replace(name, "+", "%2B", -1))
+			if err != nil {
+				return nil, err
+			}
+
+			name = fileutils.SlashClean(name)
+			files = append(files, filepath.Join(f.Path, name))
+		}
+	}
+
+	return files, nil
+}
+
+func parseQueryAlgorithm(r *http.Request) (string, archiver.Writer, error) {
+	switch r.URL.Query().Get("algo") {
+	case "zip", "true", "":
+		return ".zip", archiver.NewZip(), nil
+	case "tar":
+		return ".tar", archiver.NewTar(), nil
+	case "targz":
+		return ".tar.gz", archiver.NewTarGz(), nil
+	case "tarbz2":
+		return ".tar.bz2", archiver.NewTarBz2(), nil
+	case "tarxz":
+		return ".tar.xz", archiver.NewTarXz(), nil
+	case "tarlz4":
+		return ".tar.lz4", archiver.NewTarLz4(), nil
+	case "tarsz":
+		return ".tar.sz", archiver.NewTarSz(), nil
+	default:
+		return "", nil, errors.New("format not implemented")
+	}
+}
+
+var rawHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if !d.user.Perm.Download {
+		return http.StatusAccepted, nil
+	}
+
+	file, err := files.NewFileInfo(files.FileOptions{
+		Fs:      d.user.Fs,
+		Path:    r.URL.Path,
+		Modify:  d.user.Perm.Modify,
+		Expand:  false,
+		Checker: d,
+	})
+	if err != nil {
+		return errToStatus(err), err
+	}
+
+	if !file.IsDir {
+		return rawFileHandler(w, r, file)
+	}
+
+	return rawDirHandler(w, r, d, file)
+})
+
+func addFile(ar archiver.Writer, d *data, path string) error {
+	// Checks are always done with paths with "/" as path separator.
+	path = strings.Replace(path, "\\", "/", -1)
+	fmt.Println(path)
+	if !d.Check(path) {
+		return nil
+	}
+
+	info, err := d.user.Fs.Stat(path)
+	if err != nil {
+		return err
+	}
+
+	file, err := d.user.Fs.Open(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	err = ar.Write(archiver.File{
+		FileInfo: archiver.FileInfo{
+			FileInfo:   info,
+			CustomName: strings.TrimPrefix(path, "/"),
+		},
+		ReadCloser: file,
+	})
+	if err != nil {
+		return err
+	}
+
+	if info.IsDir() {
+		names, err := file.Readdirnames(0)
+		if err != nil {
+			return err
+		}
+
+		for _, name := range names {
+			err = addFile(ar, d, filepath.Join(path, name))
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func rawDirHandler(w http.ResponseWriter, r *http.Request, d *data, file *files.FileInfo) (int, error) {
+	filenames, err := parseQueryFiles(r, file, d.user)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	extension, ar, err := parseQueryAlgorithm(r)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	name := file.Name
+	if name == "." || name == "" {
+		name = "archive"
+	}
+	name += extension
+	w.Header().Set("Content-Disposition", "attachment; filename*=utf-8''"+url.PathEscape(name))
+
+	err = ar.Create(w)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+	defer ar.Close()
+
+	for _, fname := range filenames {
+		err = addFile(ar, d, fname)
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+	}
+
+	return 0, nil
+}
+
+func rawFileHandler(w http.ResponseWriter, r *http.Request, file *files.FileInfo) (int, error) {
+	fd, err := file.Fs.Open(file.Path)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+	defer fd.Close()
+
+	if r.URL.Query().Get("inline") == "true" {
+		w.Header().Set("Content-Disposition", "inline")
+	} else {
+		// As per RFC6266 section 4.3
+		w.Header().Set("Content-Disposition", "attachment; filename*=utf-8''"+url.PathEscape(file.Name))
+	}
+
+	http.ServeContent(w, r, file.Name, file.ModTime, fd)
+	return 0, nil
+}
@@ -0,0 +1,158 @@
+package http
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/filebrowser/filebrowser/v2/files"
+
+	"github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/fileutils"
+)
+
+var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	file, err := files.NewFileInfo(files.FileOptions{
+		Fs: d.user.Fs,
+		Path: r.URL.Path,
+		Modify: d.user.Perm.Modify,
+		Expand: true,
+		Checker: d,
+	})
+	if err != nil {
+		return errToStatus(err), err
+	}
+
+	if file.IsDir {
+		file.Listing.Sorting = d.user.Sorting
+		file.Listing.ApplySort()
+		return renderJSON(w, r, file)
+	}
+
+	if checksum := r.URL.Query().Get("checksum"); checksum != "" {
+		err := file.Checksum(checksum)
+		if err == errors.ErrInvalidOption {
+			return http.StatusBadRequest, nil
+		} else if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		// do not waste bandwidth if we just want the checksum
+		file.Content = ""
+	}
+
+	return renderJSON(w, r, file)
+})
+
+var resourceDeleteHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if r.URL.Path == "/" || !d.user.Perm.Delete {
+		return http.StatusForbidden, nil
+	}
+
+	err := d.RunHook(func() error {
+		return d.user.Fs.RemoveAll(r.URL.Path)
+	}, "delete", r.URL.Path, "", d.user)
+
+	if err != nil {
+		return errToStatus(err), err
+	}
+
+	return http.StatusOK, nil
+})
+
+var resourcePostPutHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if !d.user.Perm.Create && r.Method == http.MethodPost {
+		return http.StatusForbidden, nil
+	}
+
+	if !d.user.Perm.Modify && r.Method == http.MethodPut {
+		return http.StatusForbidden, nil
+	}
+
+	defer func() {
+		io.Copy(ioutil.Discard, r.Body)
+	}()
+
+	// For directories, only allow POST for creation.
+	if strings.HasSuffix(r.URL.Path, "/") {
+		if r.Method == http.MethodPut {
+			return http.StatusMethodNotAllowed, nil
+		}
+
+		err := d.user.Fs.MkdirAll(r.URL.Path, 0775)
+		return errToStatus(err), err
+	}
+
+	if r.Method == http.MethodPost && r.URL.Query().Get("override") != "true" {
+		if _, err := d.user.Fs.Stat(r.URL.Path); err == nil {
+			return http.StatusConflict, nil
+		}
+	}
+
+	err := d.RunHook(func() error {
+		file, err := d.user.Fs.OpenFile(r.URL.Path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0775)
+		if err != nil {
+			return err
+		}
+		defer file.Close()
+
+		_, err = io.Copy(file, r.Body)
+		if err != nil {
+			return err
+		}
+
+		// Gets the info about the file.
+		info, err := file.Stat()
+		if err != nil {
+			return err
+		}
+
+		etag := fmt.Sprintf(`"%x%x"`, info.ModTime().UnixNano(), info.Size())
+		w.Header().Set("ETag", etag)
+		return nil
+	}, "upload", r.URL.Path, "", d.user)
+
+	return errToStatus(err), err
+})
+
+var resourcePatchHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	src := r.URL.Path
+	dst := r.URL.Query().Get("destination")
+	action := r.URL.Query().Get("action")
+	dst, err := url.QueryUnescape(dst)
+
+	if err != nil {
+		return errToStatus(err), err
+	}
+
+	if dst == "/" || src == "/" {
+		return http.StatusForbidden, nil
+	}
+
+	switch action {
+	case "copy":
+		if !d.user.Perm.Create {
+			return http.StatusForbidden, nil
+		}
+	case "rename":
+	default:
+		action = "rename"
+		if !d.user.Perm.Rename {
+			return http.StatusForbidden, nil
+		}
+	}
+
+	err = d.RunHook(func() error {
+		if action == "copy" {
+			return fileutils.Copy(d.user.Fs, src, dst)
+		}
+
+		return d.user.Fs.Rename(src, dst)
+	}, action, src, dst, d.user)
+
+	return errToStatus(err), err
+})
@@ -0,0 +1,28 @@
+package http
+
+import (
+	"net/http"
+	"os"
+
+	"github.com/filebrowser/filebrowser/v2/search"
+)
+
+var searchHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	response := []map[string]interface{}{}
+	query := r.URL.Query().Get("query")
+
+	err := search.Search(d.user.Fs, r.URL.Path, query, d, func(path string, f os.FileInfo) error {
+		response = append(response, map[string]interface{}{
+			"dir":  f.IsDir(),
+			"path": path,
+		})
+
+		return nil
+	})
+
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	return renderJSON(w, r, response)
+})
@@ -0,0 +1,49 @@
+package http
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/filebrowser/filebrowser/v2/rules"
+	"github.com/filebrowser/filebrowser/v2/settings"
+)
+
+type settingsData struct {
+	Signup   bool                  `json:"signup"`
+	Defaults settings.UserDefaults `json:"defaults"`
+	Rules    []rules.Rule          `json:"rules"`
+	Branding settings.Branding     `json:"branding"`
+	Shell    []string              `json:"shell"`
+	Commands map[string][]string   `json:"commands"`
+}
+
+var settingsGetHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	data := &settingsData{
+		Signup:   d.settings.Signup,
+		Defaults: d.settings.Defaults,
+		Rules:    d.settings.Rules,
+		Branding: d.settings.Branding,
+		Shell:    d.settings.Shell,
+		Commands: d.settings.Commands,
+	}
+
+	return renderJSON(w, r, data)
+})
+
+var settingsPutHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	req := &settingsData{}
+	err := json.NewDecoder(r.Body).Decode(req)
+	if err != nil {
+		return http.StatusBadRequest, err
+	}
+
+	d.settings.Signup = req.Signup
+	d.settings.Defaults = req.Defaults
+	d.settings.Rules = req.Rules
+	d.settings.Branding = req.Branding
+	d.settings.Shell = req.Shell
+	d.settings.Commands = req.Commands
+
+	err = d.store.Settings.Save(d.settings)
+	return errToStatus(err), err
+})
@@ -0,0 +1,107 @@
+package http
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/share"
+)
+
+func withPermShare(fn handleFunc) handleFunc {
+	return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+		if !d.user.Perm.Share {
+			return http.StatusForbidden, nil
+		}
+
+		return fn(w, r, d)
+	})
+}
+
+var shareGetsHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	s, err := d.store.Share.Gets(r.URL.Path, d.user.ID)
+	if err == errors.ErrNotExist {
+		return renderJSON(w, r, []*share.Link{})
+	}
+
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	return renderJSON(w, r, s)
+})
+
+var shareDeleteHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	hash := strings.TrimSuffix(r.URL.Path, "/")
+	hash = strings.TrimPrefix(hash, "/")
+
+	if hash == "" {
+		return http.StatusBadRequest, nil
+	}
+
+	err := d.store.Share.Delete(hash)
+	return errToStatus(err), err
+})
+
+var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	var s *share.Link
+	rawExpire := r.URL.Query().Get("expires")
+	unit := r.URL.Query().Get("unit")
+
+	if rawExpire == "" {
+		var err error
+		s, err = d.store.Share.GetPermanent(r.URL.Path, d.user.ID)
+		if err == nil {
+			w.Write([]byte(d.settings.BaseURL + "/share/" + s.Hash))
+			return 0, nil
+		}
+	}
+
+	bytes := make([]byte, 6)
+	_, err := rand.Read(bytes)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	str := base64.URLEncoding.EncodeToString(bytes)
+
+	var expire int64 = 0
+
+	if rawExpire != "" {
+		num, err := strconv.Atoi(rawExpire)
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		var add time.Duration
+		switch unit {
+		case "seconds":
+			add = time.Second * time.Duration(num)
+		case "minutes":
+			add = time.Minute * time.Duration(num)
+		case "days":
+			add = time.Hour * 24 * time.Duration(num)
+		default:
+			add = time.Hour * time.Duration(num)
+		}
+
+		expire = time.Now().Add(add).Unix()
+	}
+
+	s = &share.Link{
+		Path:   r.URL.Path,
+		Hash:   str,
+		Expire: expire,
+		UserID: d.user.ID,
+	}
+
+	if err := d.store.Share.Save(s); err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	return renderJSON(w, r, s)
+})
@@ -0,0 +1,121 @@
+package http
+
+import (
+	"encoding/json"
+	"text/template"
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/GeertJohan/go.rice"
+	"github.com/filebrowser/filebrowser/v2/auth"
+	"github.com/filebrowser/filebrowser/v2/storage"
+	"github.com/filebrowser/filebrowser/v2/version"
+)
+
+func handleWithStaticData(w http.ResponseWriter, r *http.Request, d *data, box *rice.Box, file, contentType string) (int, error) {
+	w.Header().Set("Content-Type", contentType)
+
+	staticURL := strings.TrimPrefix(d.settings.BaseURL+"/static", "/")
+
+	data := map[string]interface{}{
+		"Name":            d.settings.Branding.Name,
+		"DisableExternal": d.settings.Branding.DisableExternal,
+		"BaseURL":         d.settings.BaseURL,
+		"Version":         version.Version,
+		"StaticURL":       staticURL,
+		"Signup":          d.settings.Signup,
+		"NoAuth":          d.settings.AuthMethod == auth.MethodNoAuth,
+		"CSS":             false,
+		"ReCaptcha":       false,
+	}
+
+	if d.settings.Branding.Files != "" {
+		path := filepath.Join(d.settings.Branding.Files, "custom.css")
+		_, err := os.Stat(path)
+
+		if err != nil && !os.IsNotExist(err) {
+			log.Printf("couldn't load custom styles: %v", err)
+		}
+
+		if err == nil {
+			data["CSS"] = true
+		}
+	}
+
+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		raw, err := d.store.Auth.Get(d.settings.AuthMethod)
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		auther := raw.(*auth.JSONAuth)
+
+		if auther.ReCaptcha != nil {
+			data["ReCaptcha"] = auther.ReCaptcha.Key != "" && auther.ReCaptcha.Secret != ""
+			data["ReCaptchaHost"] = auther.ReCaptcha.Host
+			data["ReCaptchaKey"] = auther.ReCaptcha.Key
+		}
+	}
+
+	b, err := json.MarshalIndent(data, "", "  ")
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	data["Json"] = string(b)
+
+	index := template.Must(template.New("index").Delims("[{[", "]}]").Parse(box.MustString(file)))
+	err = index.Execute(w, data)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	return 0, nil
+}
+
+func getStaticHandlers(storage *storage.Storage) (http.Handler, http.Handler) {
+	box := rice.MustFindBox("../frontend/dist")
+	handler := http.FileServer(box.HTTPBox())
+
+	index := handle(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+		if r.Method != http.MethodGet {
+			return http.StatusNotFound, nil
+		}
+
+		w.Header().Set("x-frame-options", "SAMEORIGIN")
+		w.Header().Set("x-xss-protection", "1; mode=block")
+
+		return handleWithStaticData(w, r, d, box, "index.html", "text/html; charset=utf-8")
+	}, "", storage)
+
+	static := handle(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+		if r.Method != http.MethodGet {
+			return http.StatusNotFound, nil
+		}
+
+		if d.settings.Branding.Files != "" {
+			if strings.HasPrefix(r.URL.Path, "img/") {
+				path := filepath.Join(d.settings.Branding.Files, r.URL.Path)
+				if _, err := os.Stat(path); err == nil {
+					http.ServeFile(w, r, path)
+					return 0, nil
+				}
+			} else if r.URL.Path == "custom.css" && d.settings.Branding.Files != "" {
+				http.ServeFile(w, r, filepath.Join(d.settings.Branding.Files, "custom.css"))
+				return 0, nil
+			}
+		}
+
+		if !strings.HasSuffix(r.URL.Path, ".js") {
+			handler.ServeHTTP(w, r)
+			return 0, nil
+		}
+
+		return handleWithStaticData(w, r, d, box, r.URL.Path, "application/javascript; charset=utf-8")
+	}, "/static/", storage)
+
+	return index, static
+}
@@ -0,0 +1,186 @@
+package http
+
+import (
+	"encoding/json"
+	"net/http"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/users"
+	"github.com/gorilla/mux"
+)
+
+type modifyUserRequest struct {
+	modifyRequest
+	Data *users.User `json:"data"`
+}
+
+func getUserID(r *http.Request) (uint, error) {
+	vars := mux.Vars(r)
+	i, err := strconv.ParseUint(vars["id"], 10, 0)
+	if err != nil {
+		return 0, err
+	}
+	return uint(i), err
+}
+
+func getUser(w http.ResponseWriter, r *http.Request) (*modifyUserRequest, error) {
+	if r.Body == nil {
+		return nil, errors.ErrEmptyRequest
+	}
+
+	req := &modifyUserRequest{}
+	err := json.NewDecoder(r.Body).Decode(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if req.What != "user" {
+		return nil, errors.ErrInvalidDataType
+	}
+
+	return req, nil
+}
+
+func withSelfOrAdmin(fn handleFunc) handleFunc {
+	return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+		id, err := getUserID(r)
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		if d.user.ID != id && !d.user.Perm.Admin {
+			return http.StatusForbidden, nil
+		}
+
+		d.raw = id
+		return fn(w, r, d)
+	})
+}
+
+var usersGetHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	users, err := d.store.Users.Gets()
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	for _, u := range users {
+		u.Password = ""
+	}
+
+	sort.Slice(users, func(i, j int) bool {
+		return users[i].ID < users[j].ID
+	})
+
+	return renderJSON(w, r, users)
+})
+
+var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	u, err := d.store.Users.Get(d.raw.(uint))
+	if err == errors.ErrNotExist {
+		return http.StatusNotFound, err
+	}
+
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	u.Password = ""
+	return renderJSON(w, r, u)
+})
+
+var userDeleteHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	err := d.store.Users.Delete(d.raw.(uint))
+	if err == errors.ErrNotExist {
+		return http.StatusNotFound, err
+	}
+
+	return http.StatusOK, nil
+})
+
+var userPostHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	req, err := getUser(w, r)
+	if err != nil {
+		return http.StatusBadRequest, err
+	}
+
+	if len(req.Which) != 0 {
+		return http.StatusBadRequest, nil
+	}
+
+	if req.Data.Password == "" {
+		return http.StatusBadRequest, errors.ErrEmptyPassword
+	}
+
+	req.Data.Password, err = users.HashPwd(req.Data.Password)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	err = d.store.Users.Save(req.Data)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	w.Header().Set("Location", "/settings/users/"+strconv.FormatUint(uint64(req.Data.ID), 10))
+	return http.StatusCreated, nil
+})
+
+var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	req, err := getUser(w, r)
+	if err != nil {
+		return http.StatusBadRequest, err
+	}
+
+	if req.Data.ID != d.raw.(uint) {
+		return http.StatusBadRequest, nil
+	}
+
+	if len(req.Which) == 1 && req.Which[0] == "all" {
+		if !d.user.Perm.Admin {
+			return http.StatusForbidden, err
+		}
+
+		if req.Data.Password != "" {
+			req.Data.Password, err = users.HashPwd(req.Data.Password)
+		} else {
+			var suser *users.User
+			suser, err = d.store.Users.Get(d.raw.(uint))
+			req.Data.Password = suser.Password
+		}
+
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		req.Which = []string{}
+	}
+
+	for k, v := range req.Which {
+		if v == "password" {
+			if !d.user.Perm.Admin && d.user.LockPassword {
+				return http.StatusForbidden, nil
+			}
+
+			req.Data.Password, err = users.HashPwd(req.Data.Password)
+			if err != nil {
+				return http.StatusInternalServerError, err
+			}
+		}
+
+		if !d.user.Perm.Admin && (v == "scope" || v == "perm" || v == "username") {
+			return http.StatusForbidden, nil
+		}
+
+		req.Which[k] = strings.Title(v)
+	}
+
+	err = d.store.Users.Update(req.Data, req.Which...)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	return http.StatusOK, nil
+})
@@ -0,0 +1,39 @@
+package http
+
+import (
+	"encoding/json"
+	"net/http"
+	"os"
+
+	"github.com/filebrowser/filebrowser/v2/errors"
+)
+
+func renderJSON(w http.ResponseWriter, r *http.Request, data interface{}) (int, error) {
+	marsh, err := json.Marshal(data)
+
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	if _, err := w.Write(marsh); err != nil {
+		return http.StatusInternalServerError, err
+	}
+
+	return 0, nil
+}
+
+func errToStatus(err error) int {
+	switch {
+	case err == nil:
+		return http.StatusOK
+	case os.IsPermission(err):
+		return http.StatusForbidden
+	case os.IsNotExist(err), err == errors.ErrNotExist:
+		return http.StatusNotFound
+	case os.IsExist(err), err == errors.ErrExist:
+		return http.StatusConflict
+	default:
+		return http.StatusInternalServerError
+	}
+}