lfss 0.1.0__py3-none-any.whl → 0.2.3__py3-none-any.whl

frontend/utils.js

@@ -0,0 +1,83 @@
+
+export function formatSize(size){
+    const sizeInKb = size / 1024;
+    const sizeInMb = sizeInKb / 1024;
+    const sizeInGb = sizeInMb / 1024;
+    if (sizeInGb > 1){
+        return sizeInGb.toFixed(2) + ' GB';
+    }
+    else if (sizeInMb > 1){
+        return sizeInMb.toFixed(2) + ' MB';
+    }
+    else if (sizeInKb > 1){
+        return sizeInKb.toFixed(2) + ' KB';
+    }
+    else {
+        return size + ' B';
+    }
+}
+
+export function copyToClipboard(text){
+    function secureCopy(text){
+        navigator.clipboard.writeText(text);
+    }
+    function unsecureCopy(text){
+        const el = document.createElement('textarea');
+        el.value = text;
+        document.body.appendChild(el);
+        el.select();
+        document.execCommand('copy');
+        document.body.removeChild(el);
+    }
+    if (navigator.clipboard){
+        secureCopy(text);
+    }
+    else {
+        unsecureCopy(text);
+    }
+}
+
+export function encodePathURI(path){
+    return path.split('/').map(encodeURIComponent).join('/');
+}
+
+export function decodePathURI(path){
+    return path.split('/').map(decodeURIComponent).join('/');
+}
+
+export function ensurePathURI(path){
+    return encodePathURI(decodePathURI(path));
+}
+
+export function getRandomString(n, additionalCharset='0123456789_-(=)[]{}'){
+    let result = '';
+    let charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+    const firstChar = charset[Math.floor(Math.random() * charset.length)];
+    const lastChar = charset[Math.floor(Math.random() * charset.length)];
+    result += firstChar;
+    charset += additionalCharset;
+    for (let i = 0; i < n-2; i++){
+        result += charset[Math.floor(Math.random() * charset.length)];
+    }
+    result += lastChar;
+    return result;
+};
+
+/**
+ * @param {string} dateStr 
+ * @returns {string}
+ */
+export function cvtGMT2Local(dateStr){
+    const gmtdate = new Date(dateStr);
+    const localdate = new Date(gmtdate.getTime() + gmtdate.getTimezoneOffset() * 60000);
+    return localdate.toISOString().slice(0, 19).replace('T', ' ');
+}
+
+export function debounce(fn,wait){
+    let timeout;
+    return function(...args){
+        const context = this;
+        if (timeout) clearTimeout(timeout);
+        timeout = setTimeout(() => fn.apply(context, args), wait);
+    }
+}

lfss/cli/panel.py

@@ -0,0 +1,45 @@
+""" A static file server to serve frontend panel """
+import uvicorn
+from fastapi import FastAPI
+from fastapi.staticfiles import StaticFiles
+
+import argparse
+from contextlib import asynccontextmanager
+from pathlib import Path
+
+__this_dir = Path(__file__).parent
+__frontend_dir = __this_dir.parent.parent / "frontend"
+
+browser_open_config = {
+    "enabled": True,
+    "host": "",
+    "port": 0
+}
+
+@asynccontextmanager
+async def app_lifespan(app: FastAPI):
+    if browser_open_config["enabled"]:
+        import webbrowser
+        webbrowser.open(f"http://{browser_open_config['host']}:{browser_open_config['port']}")
+    yield
+
+assert (__frontend_dir / "index.html").exists(), "Frontend panel not found"
+
+app = FastAPI(lifespan=app_lifespan)
+app.mount("/", StaticFiles(directory=__frontend_dir, html=True), name="static")
+
+def main():
+    parser = argparse.ArgumentParser(description="Serve frontend panel")
+    parser.add_argument("--host", default="127.0.0.1", help="Host to serve")
+    parser.add_argument("--port", type=int, default=8009, help="Port to serve")
+    parser.add_argument("--open", action="store_true", help="Open browser")
+    args = parser.parse_args()
+
+    browser_open_config["enabled"] = args.open
+    browser_open_config["host"] = args.host
+    browser_open_config["port"] = args.port
+    
+    uvicorn.run(app, host=args.host, port=args.port)
+
+if __name__ == "__main__":
+    main()

lfss/cli/user.py

@@ -1,5 +1,14 @@
 import argparse, asyncio
-from ..src.database import Database
+from ..src.database import Database, FileReadPermission
+
+def parse_storage_size(s: str) -> int:
+    if s[-1] in 'Kk':
+        return int(s[:-1]) * 1024
+    if s[-1] in 'Mm':
+        return int(s[:-1]) * 1024 * 1024
+    if s[-1] in 'Gg':
+        return int(s[:-1]) * 1024 * 1024 * 1024
+    return int(s)
 
 async def _main():
     parser = argparse.ArgumentParser()
@@ -8,6 +17,8 @@ async def _main():
     sp_add.add_argument('username', type=str)
     sp_add.add_argument('password', type=str)
     sp_add.add_argument('--admin', action='store_true')
+    sp_add.add_argument('--permission', type=FileReadPermission, default=FileReadPermission.UNSET)
+    sp_add.add_argument('--max-storage', type=parse_storage_size, default="1G")
     
     sp_delete = sp.add_parser('delete')
     sp_delete.add_argument('username', type=str)
@@ -22,6 +33,8 @@ async def _main():
     sp_set.add_argument('username', type=str)
     sp_set.add_argument('-p', '--password', type=str, default=None)
     sp_set.add_argument('-a', '--admin', type=parse_bool, default=None)
+    sp_set.add_argument('--permission', type=int, default=None)
+    sp_set.add_argument('--max-storage', type=parse_storage_size, default=None)
     
     sp_list = sp.add_parser('list')
     sp_list.add_argument("-l", "--long", action="store_true")
@@ -31,7 +44,7 @@ async def _main():
     
     try:
         if args.subparser_name == 'add':
-            await conn.user.create_user(args.username, args.password, args.admin)
+            await conn.user.create_user(args.username, args.password, args.admin, max_storage=args.max_storage, permission=args.permission)
             user = await conn.user.get_user(args.username)
             assert user is not None
             print('User created, credential:', user.credential)
@@ -50,7 +63,7 @@ async def _main():
             if user is None:
                 print('User not found')
                 exit(1)
-            await conn.user.set_user(user.username, args.password, args.admin)
+            await conn.user.update_user(user.username, args.password, args.admin, max_storage=args.max_storage, permission=args.permission)
             user = await conn.user.get_user(args.username)
             assert user is not None
             print('User updated, credential:', user.credential)

lfss/src/database.py

@@ -5,6 +5,7 @@ from abc import ABC, abstractmethod
 import urllib.parse
 import dataclasses, hashlib, uuid
 from contextlib import asynccontextmanager
+from functools import wraps
 from enum import IntEnum
 import zipfile, io
 
@@ -14,12 +15,25 @@ from asyncio import Lock
 from .config import DATA_HOME
 from .log import get_logger
 from .utils import decode_uri_compnents
+from .error import *
 
 _g_conn: Optional[aiosqlite.Connection] = None
 
 def hash_credential(username, password):
     return hashlib.sha256((username + password).encode()).hexdigest()
 
+_atomic_lock = Lock()
+def atomic(func):
+    """
+    Ensure non-reentrancy. 
+    Can be skipped if the function only executes a single SQL statement.
+    """
+    @wraps(func)
+    async def wrapper(*args, **kwargs):
+        async with _atomic_lock:
+            return await func(*args, **kwargs)
+    return wrapper
+    
 class DBConnBase(ABC):
     logger = get_logger('database', global_instance=True)
 
@@ -40,6 +54,12 @@ class DBConnBase(ABC):
     async def commit(self):
         await self.conn.commit()
 
+class FileReadPermission(IntEnum):
+    UNSET = 0           # not set
+    PUBLIC = 1          # accessible by anyone
+    PROTECTED = 2       # accessible by any user
+    PRIVATE = 3         # accessible by owner only (including admin)
+
 @dataclasses.dataclass
 class DBUserRecord:
     id: int
@@ -48,11 +68,13 @@ class DBUserRecord:
     is_admin: bool
     create_time: str
     last_active: str
+    max_storage: int
+    permission: 'FileReadPermission'
 
     def __str__(self):
-        return f"User {self.username} (id={self.id}, admin={self.is_admin}, created at {self.create_time}, last active at {self.last_active})"
+        return f"User {self.username} (id={self.id}, admin={self.is_admin}, created at {self.create_time}, last active at {self.last_active}), storage={self.max_storage}, permission={self.permission}"
 
-DECOY_USER = DBUserRecord(0, 'decoy', 'decoy', False, '2021-01-01 00:00:00', '2021-01-01 00:00:00')
+DECOY_USER = DBUserRecord(0, 'decoy', 'decoy', False, '2021-01-01 00:00:00', '2021-01-01 00:00:00', 0, FileReadPermission.PRIVATE)
 class UserConn(DBConnBase):
 
     @staticmethod
@@ -61,6 +83,7 @@ class UserConn(DBConnBase):
 
     async def init(self):
         await super().init()
+        # default to 1GB (1024x1024x1024 bytes)
         await self.conn.execute('''
         CREATE TABLE IF NOT EXISTS user (
             id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -68,9 +91,18 @@ class UserConn(DBConnBase):
             credential VARCHAR(255) NOT NULL,
             is_admin BOOLEAN DEFAULT FALSE,
             create_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP, 
-            last_active TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+            last_active TIMESTAMP DEFAULT CURRENT_TIMESTAMP, 
+            max_storage INTEGER DEFAULT 1073741824,
+            permission INTEGER DEFAULT 0
         )
         ''')
+        await self.conn.execute('''
+        CREATE INDEX IF NOT EXISTS idx_user_username ON user(username)
+        ''')
+        await self.conn.execute('''
+        CREATE INDEX IF NOT EXISTS idx_user_credential ON user(credential)
+        ''')
+
         return self
     
     async def get_user(self, username: str) -> Optional[DBUserRecord]:
@@ -94,37 +126,48 @@ class UserConn(DBConnBase):
         if res is None: return None
         return self.parse_record(res)
     
-    async def create_user(self, username: str, password: str, is_admin: bool = False) -> int:
+    @atomic
+    async def create_user(
+        self, username: str, password: str, is_admin: bool = False, 
+        max_storage: int = 1073741824, permission: FileReadPermission = FileReadPermission.UNSET
+        ) -> int:
         assert not username.startswith('_'), "Error: reserved username"
         assert not ('/' in username or len(username) > 255), "Invalid username"
         assert urllib.parse.quote(username) == username, "Invalid username, must be URL safe"
         self.logger.debug(f"Creating user {username}")
         credential = hash_credential(username, password)
         assert await self.get_user(username) is None, "Duplicate username"
-        async with self.conn.execute("INSERT INTO user (username, credential, is_admin) VALUES (?, ?, ?)", (username, credential, is_admin)) as cursor:
+        async with self.conn.execute("INSERT INTO user (username, credential, is_admin, max_storage, permission) VALUES (?, ?, ?, ?, ?)", (username, credential, is_admin, max_storage, permission)) as cursor:
             self.logger.info(f"User {username} created")
             assert cursor.lastrowid is not None
             return cursor.lastrowid
     
-    async def set_user(self, username: str, password: Optional[str] = None, is_admin: Optional[bool] = None):
+    @atomic
+    async def update_user(
+        self, username: str, password: Optional[str] = None, is_admin: Optional[bool] = None, 
+        max_storage: Optional[int] = None, permission: Optional[FileReadPermission] = None
+        ):
         assert not username.startswith('_'), "Error: reserved username"
         assert not ('/' in username or len(username) > 255), "Invalid username"
         assert urllib.parse.quote(username) == username, "Invalid username, must be URL safe"
+
+        current_record = await self.get_user(username)
+        if current_record is None:
+            raise ValueError(f"User {username} not found")
+
         if password is not None:
             credential = hash_credential(username, password)
         else:
-            async with self.conn.execute("SELECT credential FROM user WHERE username = ?", (username, )) as cursor:
-                res = await cursor.fetchone()
-                assert res is not None, f"User {username} not found"
-                credential = res[0]
+            credential = current_record.credential
         
-        if is_admin is None:
-            async with self.conn.execute("SELECT is_admin FROM user WHERE username = ?", (username, )) as cursor:
-                res = await cursor.fetchone()
-                assert res is not None, f"User {username} not found"
-                is_admin = res[0]
-
-        await self.conn.execute("UPDATE user SET credential = ?, is_admin = ? WHERE username = ?", (credential, is_admin, username))
+        if is_admin is None: is_admin = current_record.is_admin
+        if max_storage is None: max_storage = current_record.max_storage
+        if permission is None: permission = current_record.permission
+        
+        await self.conn.execute(
+            "UPDATE user SET credential = ?, is_admin = ?, max_storage = ?, permission = ? WHERE username = ?", 
+            (credential, is_admin, max_storage, int(permission), username)
+            )
         self.logger.info(f"User {username} updated")
     
     async def all(self):
@@ -139,11 +182,6 @@ class UserConn(DBConnBase):
         await self.conn.execute("DELETE FROM user WHERE username = ?", (username, ))
         self.logger.info(f"Delete user {username}")
 
-class FileReadPermission(IntEnum):
-    PUBLIC = 0          # accessible by anyone
-    PROTECTED = 1       # accessible by any user
-    PRIVATE = 2         # accessible by owner only (including admin)
-
 @dataclasses.dataclass
 class FileDBRecord:
     url: str
@@ -196,6 +234,25 @@ class FileConn(DBConnBase):
         )
         ''')
 
+        # user file size table
+        await self.conn.execute('''
+        CREATE TABLE IF NOT EXISTS usize (
+            user_id INTEGER PRIMARY KEY,
+            size INTEGER DEFAULT 0
+        )
+        ''')
+        # backward compatibility, since 0.2.1
+        async with self.conn.execute("SELECT * FROM user") as cursor:
+            res = await cursor.fetchall()
+        for r in res:
+            async with self.conn.execute("SELECT user_id FROM usize WHERE user_id = ?", (r[0], )) as cursor:
+                size = await cursor.fetchone()
+            if size is None:
+                async with self.conn.execute("SELECT SUM(file_size) FROM fmeta WHERE owner_id = ?", (r[0], )) as cursor:
+                    size = await cursor.fetchone()
+                if size is not None and size[0] is not None:
+                    await self.user_size_inc(r[0], size[0])
+
         return self
     
     async def get_file_record(self, url: str) -> Optional[FileDBRecord]:
@@ -291,6 +348,19 @@ class FileConn(DBConnBase):
             
         return (dirs, files)
     
+    async def user_size(self, user_id: int) -> int:
+        async with self.conn.execute("SELECT size FROM usize WHERE user_id = ?", (user_id, )) as cursor:
+            res = await cursor.fetchone()
+        if res is None:
+            return -1
+        return res[0]
+    async def user_size_inc(self, user_id: int, inc: int):
+        self.logger.debug(f"Increasing user {user_id} size by {inc}")
+        await self.conn.execute("INSERT OR REPLACE INTO usize (user_id, size) VALUES (?, COALESCE((SELECT size FROM usize WHERE user_id = ?), 0) + ?)", (user_id, user_id, inc))
+    async def user_size_dec(self, user_id: int, dec: int):
+        self.logger.debug(f"Decreasing user {user_id} size by {dec}")
+        await self.conn.execute("INSERT OR REPLACE INTO usize (user_id, size) VALUES (?, COALESCE((SELECT size FROM usize WHERE user_id = ?), 0) - ?)", (user_id, user_id, dec))
+    
     async def path_size(self, url: str, include_subpath = False) -> int:
         if not url.endswith('/'):
             url += '/'
@@ -303,51 +373,92 @@ class FileConn(DBConnBase):
         assert res is not None
         return res[0] or 0
     
-    async def set_file_record(self, url: str, owner_id: int, file_id: str, file_size: int, permission: Optional[ FileReadPermission ] = None):
-        self.logger.debug(f"Updating fmeta {url}: user_id={owner_id}, file_id={file_id}")
+    @atomic
+    async def set_file_record(
+        self, url: str, 
+        owner_id: Optional[int] = None, 
+        file_id: Optional[str] = None, 
+        file_size: Optional[int] = None, 
+        permission: Optional[ FileReadPermission ] = None
+        ):
 
         old = await self.get_file_record(url)
         if old is not None:
-            assert old.owner_id == owner_id, f"User mismatch: {old.owner_id} != {owner_id}"
-            if permission is None:
-                permission = old.permission
+            self.logger.debug(f"Updating fmeta {url}: permission={permission}, owner_id={owner_id}")
+            # should delete the old blob if file_id is changed
+            assert file_id is None, "Cannot update file id"
+            assert file_size is None, "Cannot update file size"
+
+            if owner_id is None: owner_id = old.owner_id
+            if permission is None: permission = old.permission
             await self.conn.execute(
                 """
-                UPDATE fmeta SET file_id = ?, file_size = ?, permission = ?, 
+                UPDATE fmeta SET owner_id = ?, permission = ?, 
                 access_time = CURRENT_TIMESTAMP WHERE url = ?
-                """, (file_id, file_size, permission, url))
+                """, (owner_id, int(permission), url))
             self.logger.info(f"File {url} updated")
         else:
+            self.logger.debug(f"Creating fmeta {url}: permission={permission}, owner_id={owner_id}, file_id={file_id}, file_size={file_size}")
             if permission is None:
-                permission = FileReadPermission.PUBLIC
-            await self.conn.execute("INSERT INTO fmeta (url, owner_id, file_id, file_size, permission) VALUES (?, ?, ?, ?, ?)", (url, owner_id, file_id, file_size, permission))
+                permission = FileReadPermission.UNSET
+            assert owner_id is not None and file_id is not None and file_size is not None, "Missing required fields"
+            await self.conn.execute(
+                "INSERT INTO fmeta (url, owner_id, file_id, file_size, permission) VALUES (?, ?, ?, ?, ?)", 
+                (url, owner_id, file_id, file_size, int(permission))
+                )
+            await self.user_size_inc(owner_id, file_size)
             self.logger.info(f"File {url} created")
     
+    @atomic
+    async def move_file(self, old_url: str, new_url: str):
+        old = await self.get_file_record(old_url)
+        if old is None:
+            raise FileNotFoundError(f"File {old_url} not found")
+        new_exists = await self.get_file_record(new_url)
+        if new_exists is not None:
+            raise FileExistsError(f"File {new_url} already exists")
+        async with self.conn.execute("UPDATE fmeta SET url = ? WHERE url = ?", (new_url, old_url)):
+            self.logger.info(f"Moved file {old_url} to {new_url}")
+    
     async def log_access(self, url: str):
         await self.conn.execute("UPDATE fmeta SET access_time = CURRENT_TIMESTAMP WHERE url = ?", (url, ))
     
+    @atomic
     async def delete_file_record(self, url: str):
         file_record = await self.get_file_record(url)
         if file_record is None: return
         await self.conn.execute("DELETE FROM fmeta WHERE url = ?", (url, ))
+        await self.user_size_dec(file_record.owner_id, file_record.file_size)
         self.logger.info(f"Deleted fmeta {url}")
     
+    @atomic
     async def delete_user_file_records(self, owner_id: int):
         async with self.conn.execute("SELECT * FROM fmeta WHERE owner_id = ?", (owner_id, )) as cursor:
             res = await cursor.fetchall()
         await self.conn.execute("DELETE FROM fmeta WHERE owner_id = ?", (owner_id, ))
+        await self.conn.execute("DELETE FROM usize WHERE user_id = ?", (owner_id, ))
         self.logger.info(f"Deleted {len(res)} files for user {owner_id}") # type: ignore
     
+    @atomic
     async def delete_path_records(self, path: str):
         """Delete all records with url starting with path"""
         async with self.conn.execute("SELECT * FROM fmeta WHERE url LIKE ?", (path + '%', )) as cursor:
+            all_f_rec = await cursor.fetchall()
+        
+        # update user size
+        async with self.conn.execute("SELECT DISTINCT owner_id FROM fmeta WHERE url LIKE ?", (path + '%', )) as cursor:
             res = await cursor.fetchall()
+            for r in res:
+                async with self.conn.execute("SELECT SUM(file_size) FROM fmeta WHERE owner_id = ? AND url LIKE ?", (r[0], path + '%')) as cursor:
+                    size = await cursor.fetchone()
+                if size is not None:
+                    await self.user_size_dec(r[0], size[0])
+        
         await self.conn.execute("DELETE FROM fmeta WHERE url LIKE ?", (path + '%', ))
-        self.logger.info(f"Deleted {len(res)} files for path {path}") # type: ignore
+        self.logger.info(f"Deleted {len(all_f_rec)} files for path {path}") # type: ignore
     
-    async def set_file_blob(self, file_id: str, blob: bytes) -> int:
+    async def set_file_blob(self, file_id: str, blob: bytes):
         await self.conn.execute("INSERT OR REPLACE INTO fdata (file_id, data) VALUES (?, ?)", (file_id, blob))
-        return len(blob)
     
     async def get_file_blob(self, file_id: str) -> Optional[bytes]:
         async with self.conn.execute("SELECT data FROM fdata WHERE file_id = ?", (file_id, )) as cursor:
@@ -362,18 +473,20 @@ class FileConn(DBConnBase):
     async def delete_file_blobs(self, file_ids: list[str]):
         await self.conn.execute("DELETE FROM fdata WHERE file_id IN ({})".format(','.join(['?'] * len(file_ids))), file_ids)
 
-def _validate_url(url: str, is_file = True) -> bool:
+def validate_url(url: str, is_file = True):
     ret = not url.startswith('/') and not ('..' in url) and ('/' in url) and not ('//' in url) \
         and not ' ' in url and not url.startswith('\\') and not url.startswith('_') and not url.startswith('.')
 
     if not ret:
-        return False
+        raise InvalidPathError(f"Invalid URL: {url}")
     
     if is_file:
         ret = ret and not url.endswith('/')
     else:
         ret = ret and url.endswith('/')
-    return ret
+
+    if not ret:
+        raise InvalidPathError(f"Invalid URL: {url}")
 
 async def get_user(db: "Database", user: int | str) -> Optional[DBUserRecord]:
     if isinstance(user, str):
@@ -393,6 +506,7 @@ async def transaction(db: "Database"):
     except Exception as e:
         db.logger.error(f"Error in transaction: {e}")
         await db.rollback()
+        raise e
     finally:
         _transaction_lock.release()
 
@@ -402,8 +516,9 @@ class Database:
     logger = get_logger('database', global_instance=True)
 
     async def init(self):
-        await self.user.init()
-        await self.file.init()
+        async with transaction(self):
+            await self.user.init()
+            await self.file.init()
         return self
     
     async def commit(self):
@@ -421,8 +536,7 @@ class Database:
             await _g_conn.rollback()
 
     async def save_file(self, u: int | str, url: str, blob: bytes):
-        if not _validate_url(url):
-            raise ValueError(f"Invalid URL: {url}")
+        validate_url(url)
         assert isinstance(blob, bytes), "blob must be bytes"
 
         user = await get_user(self, u)
@@ -435,20 +549,26 @@ class Database:
         first_component = url.split('/')[0]
         if first_component != user.username:
             if not user.is_admin:
-                raise ValueError(f"Permission denied: {user.username} cannot write to {url}")
+                raise PermissionDeniedError(f"Permission denied: {user.username} cannot write to {url}")
             else:
                 if await get_user(self, first_component) is None:
-                    raise ValueError(f"Invalid path: {first_component} is not a valid username")
+                    raise PermissionDeniedError(f"Invalid path: {first_component} is not a valid username")
+        
+        # check if fize_size is within limit
+        file_size = len(blob)
+        user_size_used = await self.file.user_size(user.id)
+        if user_size_used + file_size > user.max_storage:
+            raise StorageExceededError(f"Unable to save file, user {user.username} has storage limit of {user.max_storage}, used {user_size_used}, requested {file_size}")
 
         f_id = uuid.uuid4().hex
         async with transaction(self):
-            file_size = await self.file.set_file_blob(f_id, blob)
+            await self.file.set_file_blob(f_id, blob)
             await self.file.set_file_record(url, owner_id=user.id, file_id=f_id, file_size=file_size)
             await self.user.set_active(user.username)
 
     # async def read_file_stream(self, url: str): ...
     async def read_file(self, url: str) -> bytes:
-        if not _validate_url(url): raise ValueError(f"Invalid URL: {url}")
+        validate_url(url)
 
         r = await self.file.get_file_record(url)
         if r is None:
@@ -465,7 +585,7 @@ class Database:
         return blob
 
     async def delete_file(self, url: str) -> Optional[FileDBRecord]:
-        if not _validate_url(url): raise ValueError(f"Invalid URL: {url}")
+        validate_url(url)
 
         async with transaction(self):
             r = await self.file.get_file_record(url)
@@ -475,9 +595,16 @@ class Database:
             await self.file.delete_file_blob(f_id)
             await self.file.delete_file_record(url)
             return r
+    
+    async def move_file(self, old_url: str, new_url: str):
+        validate_url(old_url)
+        validate_url(new_url)
+
+        async with transaction(self):
+            await self.file.move_file(old_url, new_url)
 
     async def delete_path(self, url: str):
-        if not _validate_url(url, is_file=False): raise ValueError(f"Invalid URL: {url}")
+        validate_url(url, is_file=False)
 
         async with transaction(self):
             records = await self.file.get_path_records(url)
@@ -520,4 +647,32 @@ class Database:
                 zf.writestr(rel_path, blob)
 
         buffer.seek(0)
-        return buffer
+        return buffer
+
+def check_user_permission(user: DBUserRecord, owner: DBUserRecord, file: FileDBRecord) -> tuple[bool, str]:
+    if user.is_admin:
+        return True, ""
+    
+    # check permission of the file
+    if file.permission == FileReadPermission.PRIVATE:
+        if user.id != owner.id:
+            return False, "Permission denied, private file"
+    elif file.permission == FileReadPermission.PROTECTED:
+        if user.id == 0:
+            return False, "Permission denied, protected file"
+    elif file.permission == FileReadPermission.PUBLIC:
+        return True, ""
+    else:
+        assert file.permission == FileReadPermission.UNSET
+
+    # use owner's permission as fallback
+    if owner.permission == FileReadPermission.PRIVATE:
+        if user.id != owner.id:
+            return False, "Permission denied, private user file"
+    elif owner.permission == FileReadPermission.PROTECTED:
+        if user.id == 0:
+            return False, "Permission denied, protected user file"
+    else:
+        assert owner.permission == FileReadPermission.PUBLIC or owner.permission == FileReadPermission.UNSET
+
+    return True, ""

lfss/src/error.py

@@ -0,0 +1,8 @@
+
+class LFSSExceptionBase(Exception):...
+
+class PermissionDeniedError(LFSSExceptionBase, PermissionError):...
+
+class InvalidPathError(LFSSExceptionBase, ValueError):...
+
+class StorageExceededError(LFSSExceptionBase):...