chore: version v2.1.2

fix(security): check user permission to rename files
chore: add dist folder to gitignore
2020-06-06 17:49:14 +02:00 · 2020-06-06 17:45:51 +02:00 · 2020-06-02 10:50:14 +02:00 · 2020-06-01 02:53:15 +02:00 · 2020-06-01 02:52:26 +02:00 · 2020-06-01 02:14:11 +02:00
65 changed files with 520 additions and 282 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,10 +2,10 @@ version: 2
 jobs:
  lint:
    docker:
-      - image: golangci/golangci-lint:v1.16
+      - image: golangci/golangci-lint:v1.27.0
    steps:
      - checkout
-      - run: golangci-lint run -v -D errcheck
+      - run: golangci-lint run -v
  build-node:
    docker:
      - image: circleci/node
@@ -23,7 +23,7 @@ jobs:
            - '*'
  build-go:
    docker:
-      - image: circleci/golang:1.12
+      - image: circleci/golang:1.14.3
    steps:
      - attach_workspace:
          at: '~/project'
@@ -41,7 +41,7 @@ jobs:
            - '*'
  release:
    docker:
-      - image: circleci/golang:1.12
+      - image: circleci/golang:1.14.3
    steps:
      - attach_workspace:
          at: '~/project'
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@ _old
 rice-box.go
 .idea/
 filebrowser
+dist/

 .DS_Store
 node_modules
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,132 @@
+linters-settings:
+  dupl:
+    threshold: 100
+  exhaustive:
+    default-signifies-exhaustive: false
+  funlen:
+    lines: 100
+    statements: 50
+  goconst:
+    min-len: 2
+    min-occurrences: 2
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - experimental
+      - opinionated
+      - performance
+      - style
+    disabled-checks:
+      - dupImport # https://github.com/go-critic/go-critic/issues/845
+      - ifElseChain
+      - octalLiteral
+      - whyNoLint
+      - wrapperFunc
+  gocyclo:
+    min-complexity: 15
+  goimports:
+    local-prefixes: github.com/filebrowser/filebrowser
+  golint:
+    min-confidence: 0
+  gomnd:
+    settings:
+      mnd:
+        # don't include the "operation" and "assign"
+        checks: argument,case,condition,return
+  govet:
+    check-shadowing: true
+  lll:
+    line-length: 140
+  maligned:
+    suggest-new: true
+  misspell:
+    locale: US
+  nolintlint:
+    allow-leading-space: true # don't require machine-readable nolint directives (i.e. with no leading space)
+    allow-unused: false # report any unused nolint directives
+    require-explanation: false # don't require an explanation for nolint directives
+    require-specific: false # don't require nolint directives to be specific about which linter is being skipped
+
+linters:
+  # please, do not use `enable-all`: it's deprecated and will be removed soon.
+  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
+  disable-all: true
+  enable:
+    - bodyclose
+    - deadcode
+    - depguard
+    - dogsled
+    - dupl
+    - errcheck
+    - funlen
+    - gochecknoinits
+    - goconst
+    - gocritic
+    - gocyclo
+    - gofmt
+    - goimports
+    - golint
+    - gomnd
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - interfacer
+    - lll
+    - misspell
+    - nakedret
+    - nolintlint
+    - rowserrcheck
+    - scopelint
+    - staticcheck
+    - structcheck
+    - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+    - whitespace
+    - prealloc
+
+  # don't enable:
+  # - asciicheck
+  # - exhaustive (TODO: enable after next release; current release at time of writing is v1.27)
+  # - gochecknoglobals
+  # - gocognit
+  # - godot
+  # - godox
+  # - goerr113
+  # - maligned
+  # - nestif
+  # - testpackage
+  # - wsl
+
+issues:
+  exclude-rules:
+    - path: cmd/.*.go
+      linters:
+        - gochecknoinits
+    - path: .*_test.go
+      linters:
+        - lll
+        - gochecknoinits
+        - gocyclo
+        - funlen
+        - dupl
+        - scopelint
+    - text: "Auther"
+      linters:
+        - misspell
+
+run:
+  skip-dirs:
+    - frontend/
+  skip-files:
+    - http/rice-box.go
+
+# golangci.com configuration
+# https://github.com/golangci/golangci/wiki/Configuration
+service:
+  golangci-lint-version: 1.27.x # use the fixed version to not introduce new linters unexpectedly
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -54,6 +54,9 @@ archives:

 dockers:
  -
+    dockerfile: Dockerfile
+    binaries:
+      - filebrowser
    goos: linux
    goarch: amd64
    goarm: ''
@@ -63,3 +66,16 @@ dockers:
      - "filebrowser/filebrowser:v{{ .Major }}"
    extra_files:
      - .docker.json
+  -
+    dockerfile: Dockerfile
+    binaries:
+      - filebrowser
+    goos: linux
+    goarch: arm
+    goarm: '5'
+    image_templates:
+      - "filebrowser/filebrowser:pi"
+      - "filebrowser/filebrowser:{{ .Tag }}-pi"
+      - "filebrowser/filebrowser:v{{ .Major }}-pi"
+    extra_files:
+      - .docker.json
--- a/README.md
+++ b/README.md
@@ -2,8 +2,6 @@
  <img src="https://raw.githubusercontent.com/filebrowser/logo/master/banner.png" width="550"/>
 </p>

-⚠️ WARN: **This project will not be developed anymore. If you're willing to take over this project, please read [#532](https://github.com/filebrowser/filebrowser/issues/532) for more info!**
-
 ![Preview](https://user-images.githubusercontent.com/5447088/50716739-ebd26700-107a-11e9-9817-14230c53efd2.gif)

 [![Travis](https://img.shields.io/travis/com/filebrowser/filebrowser.svg?style=flat-square)](https://travis-ci.com/filebrowser/filebrowser)
@@ -16,16 +14,16 @@ filebrowser provides a file managing interface within a specified directory and

 ## Features

-Please refer to our docs at [filebrowser.xyz/features](https://filebrowser.xyz/features)
+Please refer to our docs at [filebrowser.xyz/features](https://github.com/filebrowser/docs/tree/master/features)

 ## Install

-Please refer to our docs at [filebrowser.xyz](https://filebrowser.xyz/).
+Please refer to our docs at [filebrowser.xyz](https://github.com/filebrowser/docs/tree/master/).

 ## Usage

-Please refer to our docs at [filebrowser.xyz/usage](https://filebrowser.xyz/usage).
+Please refer to our docs at [filebrowser.xyz/usage](https://github.com/filebrowser/docs/tree/master/usage).

 ## Contributing

-Please refer to our docs at [filebrowser.xyz/contributing](https://filebrowser.xyz/contributing).
+Please refer to our docs at [filebrowser.xyz/contributing](https://github.com/filebrowser/docs/tree/master/contributing).
--- a/auth/json.go
+++ b/auth/json.go
@@ -20,7 +20,7 @@ type jsonCred struct {
 	ReCaptcha string `json:"recaptcha"`
 }

-// JSONAuth is a json implementaion of an Auther.
+// JSONAuth is a json implementation of an Auther.
 type JSONAuth struct {
 	ReCaptcha *ReCaptcha `json:"recaptcha" yaml:"recaptcha"`
 }
@@ -40,7 +40,7 @@ func (a JSONAuth) Auth(r *http.Request, sto *users.Storage, root string) (*users

 	// If ReCaptcha is enabled, check the code.
 	if a.ReCaptcha != nil && len(a.ReCaptcha.Secret) > 0 {
-		ok, err := a.ReCaptcha.Ok(cred.ReCaptcha)
+		ok, err := a.ReCaptcha.Ok(cred.ReCaptcha) //nolint:shadow

 		if err != nil {
 			return nil, err
@@ -66,7 +66,7 @@ func (a JSONAuth) LoginPage() bool {

 const reCaptchaAPI = "/recaptcha/api/siteverify"

-// ReCaptcha identifies a recaptcha conenction.
+// ReCaptcha identifies a recaptcha connection.
 type ReCaptcha struct {
 	Host   string `json:"host"`
 	Key    string `json:"key"`
@@ -89,6 +89,7 @@ func (r *ReCaptcha) Ok(response string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
+	defer resp.Body.Close()

 	if resp.StatusCode != http.StatusOK {
 		return false, nil
--- a/auth/storage.go
+++ b/auth/storage.go
@@ -18,8 +18,8 @@ type Storage struct {
 }

 // NewStorage creates a auth storage from a backend.
-func NewStorage(back StorageBackend, users *users.Storage) *Storage {
-	return &Storage{back: back, users: users}
+func NewStorage(back StorageBackend, userStore *users.Storage) *Storage {
+	return &Storage{back: back, users: userStore}
 }

 // Get wraps a StorageBackend.Get.
--- a/cmd/cmds_add.go
+++ b/cmd/cmds_add.go
@@ -14,7 +14,7 @@ var cmdsAddCmd = &cobra.Command{
 	Use:   "add <event> <command>",
 	Short: "Add a command to run on a specific event",
 	Long:  `Add a command to run on a specific event.`,
-	Args:  cobra.MinimumNArgs(2),
+	Args:  cobra.MinimumNArgs(2), //nolint:mnd
 	Run: python(func(cmd *cobra.Command, args []string, d pythonData) {
 		s, err := d.store.Settings.Get()
 		checkErr(err)
--- a/cmd/cmds_rm.go
+++ b/cmd/cmds_rm.go
@@ -23,7 +23,7 @@ You can also specify an optional parameter (index_end) so
 you can remove all commands from 'index' to 'index_end',
 including 'index_end'.`,
 	Args: func(cmd *cobra.Command, args []string) error {
-		if err := cobra.RangeArgs(2, 3)(cmd, args); err != nil {
+		if err := cobra.RangeArgs(2, 3)(cmd, args); err != nil { //nolint:mnd
 			return err
 		}

@@ -43,7 +43,7 @@ including 'index_end'.`,
 		i, err := strconv.Atoi(args[1])
 		checkErr(err)
 		f := i
-		if len(args) == 3 {
+		if len(args) == 3 { //nolint:mnd
 			f, err = strconv.Atoi(args[2])
 			checkErr(err)
 		}
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -8,11 +8,12 @@ import (
 	"strings"
 	"text/tabwriter"

+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
 	"github.com/filebrowser/filebrowser/v2/auth"
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/settings"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 )

 func init() {
@@ -44,6 +45,7 @@ func addConfigFlags(flags *pflag.FlagSet) {
 	flags.Bool("branding.disableExternal", false, "disable external links such as GitHub links")
 }

+//nolint:gocyclo
 func getAuthentication(flags *pflag.FlagSet, defaults ...interface{}) (settings.AuthMethod, auth.Auther) {
 	method := settings.AuthMethod(mustGetString(flags, "auth.method"))

@@ -53,11 +55,12 @@ func getAuthentication(flags *pflag.FlagSet, defaults ...interface{}) (settings.
 			for _, arg := range defaults {
 				switch def := arg.(type) {
 				case *settings.Settings:
-					method = settings.AuthMethod(def.AuthMethod)
+					method = def.AuthMethod
 				case auth.Auther:
 					ms, err := json.Marshal(def)
 					checkErr(err)
-					json.Unmarshal(ms, &defaultAuther)
+					err = json.Unmarshal(ms, &defaultAuther)
+					checkErr(err)
 				}
 			}
 		}
--- a/cmd/config_import.go
+++ b/cmd/config_import.go
@@ -6,9 +6,10 @@ import (
 	"path/filepath"
 	"reflect"

+	"github.com/spf13/cobra"
+
 	"github.com/filebrowser/filebrowser/v2/auth"
 	"github.com/filebrowser/filebrowser/v2/settings"
-	"github.com/spf13/cobra"
 )

 func init() {
@@ -55,7 +56,7 @@ The path must be for a json or yaml file.`,
 		checkErr(err)

 		var rawAuther interface{}
-		if filepath.Ext(args[0]) != ".json" {
+		if filepath.Ext(args[0]) != ".json" { //nolint:goconst
 			rawAuther = cleanUpInterfaceMap(file.Auther.(map[interface{}]interface{}))
 		} else {
 			rawAuther = file.Auther
--- a/cmd/config_init.go
+++ b/cmd/config_init.go
@@ -4,8 +4,9 @@ import (
 	"fmt"
 	"strings"

-	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/spf13/cobra"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
 )

 func init() {
--- a/cmd/docs.go
+++ b/cmd/docs.go
@@ -88,7 +88,7 @@ func generateMarkdown(cmd *cobra.Command, w io.Writer) {

 	short := cmd.Short
 	long := cmd.Long
-	if len(long) == 0 {
+	if long == "" {
 		long = short
 	}

@@ -106,21 +106,21 @@ func generateMarkdown(cmd *cobra.Command, w io.Writer) {
 		buf.WriteString(fmt.Sprintf("```\n%s\n```\n\n", cmd.Example))
 	}

-	printOptions(buf, cmd, name)
+	printOptions(buf, cmd)
 	_, err := buf.WriteTo(w)
 	checkErr(err)
 }

 func generateFlagsTable(fs *pflag.FlagSet, buf io.StringWriter) {
-	buf.WriteString("| Name | Shorthand | Usage |\n")
-	buf.WriteString("|------|-----------|-------|\n")
+	_, _ = buf.WriteString("| Name | Shorthand | Usage |\n")
+	_, _ = buf.WriteString("|------|-----------|-------|\n")

 	fs.VisitAll(func(f *pflag.Flag) {
-		buf.WriteString("|" + f.Name + "|" + f.Shorthand + "|" + f.Usage + "|\n")
+		_, _ = buf.WriteString("|" + f.Name + "|" + f.Shorthand + "|" + f.Usage + "|\n")
 	})
 }

-func printOptions(buf *bytes.Buffer, cmd *cobra.Command, name string) {
+func printOptions(buf *bytes.Buffer, cmd *cobra.Command) {
 	flags := cmd.NonInheritedFlags()
 	flags.SetOutput(buf)
 	if flags.HasAvailableFlags() {
--- a/cmd/hash.go
+++ b/cmd/hash.go
@@ -3,8 +3,9 @@ package cmd
 import (
 	"fmt"

-	"github.com/filebrowser/filebrowser/v2/users"
 	"github.com/spf13/cobra"
+
+	"github.com/filebrowser/filebrowser/v2/users"
 )

 func init() {
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -13,16 +13,17 @@ import (
 	"strings"
 	"syscall"

-	"github.com/filebrowser/filebrowser/v2/auth"
-	fbhttp "github.com/filebrowser/filebrowser/v2/http"
-	"github.com/filebrowser/filebrowser/v2/settings"
-	"github.com/filebrowser/filebrowser/v2/storage"
-	"github.com/filebrowser/filebrowser/v2/users"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	v "github.com/spf13/viper"
 	lumberjack "gopkg.in/natefinch/lumberjack.v2"
+
+	"github.com/filebrowser/filebrowser/v2/auth"
+	fbhttp "github.com/filebrowser/filebrowser/v2/http"
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/storage"
+	"github.com/filebrowser/filebrowser/v2/users"
 )

 var (
@@ -113,16 +114,17 @@ user created with the credentials from options "username" and "password".`,

 		var listener net.Listener

-		if server.Socket != "" {
+		switch {
+		case server.Socket != "":
 			listener, err = net.Listen("unix", server.Socket)
 			checkErr(err)
-		} else if server.TLSKey != "" && server.TLSCert != "" {
-			cer, err := tls.LoadX509KeyPair(server.TLSCert, server.TLSKey)
+		case server.TLSKey != "" && server.TLSCert != "":
+			cer, err := tls.LoadX509KeyPair(server.TLSCert, server.TLSKey) //nolint:shadow
 			checkErr(err)
-			listener, err = tls.Listen("tcp", adr, &tls.Config{Certificates: []tls.Certificate{cer}})
+			listener, err = tls.Listen("tcp", adr, &tls.Config{Certificates: []tls.Certificate{cer}}) //nolint:shadow
 			checkErr(err)
-		} else {
-			listener, err = net.Listen("tcp", adr)
+		default:
+			listener, err = net.Listen("tcp", adr) //nolint:shadow
 			checkErr(err)
 		}

@@ -142,13 +144,14 @@ user created with the credentials from options "username" and "password".`,
 	}, pythonConfig{allowNoDB: true}),
 }

-func cleanupHandler(listener net.Listener, c chan os.Signal) {
+func cleanupHandler(listener net.Listener, c chan os.Signal) { //nolint:interfacer
 	sig := <-c
 	log.Printf("Caught signal %s: shutting down.", sig)
 	listener.Close()
 	os.Exit(0)
 }

+//nolint:gocyclo
 func getRunParams(flags *pflag.FlagSet, st *storage.Storage) *settings.Server {
 	server, err := st.Settings.GetServer()
 	checkErr(err)
@@ -348,5 +351,4 @@ func initConfig() {
 	} else {
 		cfgFile = "Using config file: " + v.ConfigFileUsed()
 	}
-
 }
--- a/cmd/rule_rm.go
+++ b/cmd/rule_rm.go
@@ -3,15 +3,16 @@ package cmd
 import (
 	"strconv"

+	"github.com/spf13/cobra"
+
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/users"
-	"github.com/spf13/cobra"
 )

 func init() {
 	rulesCmd.AddCommand(rulesRmCommand)
 	rulesRmCommand.Flags().Uint("index", 0, "index of rule to remove")
-	rulesRmCommand.MarkFlagRequired("index")
+	_ = rulesRmCommand.MarkFlagRequired("index")
 }

 var rulesRmCommand = &cobra.Command{
@@ -43,7 +44,7 @@ including 'index_end'.`,
 		i, err := strconv.Atoi(args[0])
 		checkErr(err)
 		f := i
-		if len(args) == 2 {
+		if len(args) == 2 { //nolint:mnd
 			f, err = strconv.Atoi(args[1])
 			checkErr(err)
 		}
--- a/cmd/rules.go
+++ b/cmd/rules.go
@@ -3,12 +3,13 @@ package cmd
 import (
 	"fmt"

+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
 	"github.com/filebrowser/filebrowser/v2/rules"
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/storage"
 	"github.com/filebrowser/filebrowser/v2/users"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 )

 func init() {
@@ -18,8 +19,8 @@ func init() {
 }

 var rulesCmd = &cobra.Command{
-	Use:     "rules",
-	Short:   "Rules management utility",
+	Use:   "rules",
+	Short: "Rules management utility",
 	Long: `On each subcommand you'll have available at least two flags:
 "username" and "id". You must either set only one of them
 or none. If you set one of them, the command will apply to
@@ -28,14 +29,14 @@ rules.`,
 	Args: cobra.NoArgs,
 }

-func runRules(st *storage.Storage, cmd *cobra.Command, users func(*users.User), global func(*settings.Settings)) {
+func runRules(st *storage.Storage, cmd *cobra.Command, usersFn func(*users.User), globalFn func(*settings.Settings)) {
 	id := getUserIdentifier(cmd.Flags())
 	if id != nil {
 		user, err := st.Users.Get("", id)
 		checkErr(err)

-		if users != nil {
-			users(user)
+		if usersFn != nil {
+			usersFn(user)
 		}

 		printRules(user.Rules, id)
@@ -45,8 +46,8 @@ func runRules(st *storage.Storage, cmd *cobra.Command, users func(*users.User),
 	s, err := st.Settings.Get()
 	checkErr(err)

-	if global != nil {
-		global(s)
+	if globalFn != nil {
+		globalFn(s)
 	}

 	printRules(s.Rules, id)
@@ -65,14 +66,14 @@ func getUserIdentifier(flags *pflag.FlagSet) interface{} {
 	return nil
 }

-func printRules(rules []rules.Rule, id interface{}) {
+func printRules(rulez []rules.Rule, id interface{}) {
 	if id == nil {
 		fmt.Printf("Global Rules:\n\n")
 	} else {
 		fmt.Printf("Rules for user %v:\n\n", id)
 	}

-	for id, rule := range rules {
+	for id, rule := range rulez {
 		fmt.Printf("(%d) ", id)
 		if rule.Regex {
 			if rule.Allow {
--- a/cmd/rules_add.go
+++ b/cmd/rules_add.go
@@ -3,10 +3,11 @@ package cmd
 import (
 	"regexp"

+	"github.com/spf13/cobra"
+
 	"github.com/filebrowser/filebrowser/v2/rules"
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/users"
-	"github.com/spf13/cobra"
 )

 func init() {
--- a/cmd/upgrade.go
+++ b/cmd/upgrade.go
@@ -1,8 +1,9 @@
 package cmd

 import (
-	"github.com/filebrowser/filebrowser/v2/storage/bolt/importer"
 	"github.com/spf13/cobra"
+
+	"github.com/filebrowser/filebrowser/v2/storage/bolt/importer"
 )

 func init() {
@@ -10,7 +11,7 @@ func init() {

 	upgradeCmd.Flags().String("old.database", "", "")
 	upgradeCmd.Flags().String("old.config", "", "")
-	upgradeCmd.MarkFlagRequired("old.database")
+	_ = upgradeCmd.MarkFlagRequired("old.database")
 }

 var upgradeCmd = &cobra.Command{
--- a/cmd/users.go
+++ b/cmd/users.go
@@ -7,10 +7,11 @@ import (
 	"strconv"
 	"text/tabwriter"

-	"github.com/filebrowser/filebrowser/v2/settings"
-	"github.com/filebrowser/filebrowser/v2/users"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
 )

 func init() {
@@ -24,38 +25,38 @@ var usersCmd = &cobra.Command{
 	Args:  cobra.NoArgs,
 }

-func printUsers(users []*users.User) {
+func printUsers(usrs []*users.User) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
 	fmt.Fprintln(w, "ID\tUsername\tScope\tLocale\tV. Mode\tAdmin\tExecute\tCreate\tRename\tModify\tDelete\tShare\tDownload\tPwd Lock")

-	for _, user := range users {
+	for _, u := range usrs {
 		fmt.Fprintf(w, "%d\t%s\t%s\t%s\t%s\t%t\t%t\t%t\t%t\t%t\t%t\t%t\t%t\t%t\t\n",
-			user.ID,
-			user.Username,
-			user.Scope,
-			user.Locale,
-			user.ViewMode,
-			user.Perm.Admin,
-			user.Perm.Execute,
-			user.Perm.Create,
-			user.Perm.Rename,
-			user.Perm.Modify,
-			user.Perm.Delete,
-			user.Perm.Share,
-			user.Perm.Download,
-			user.LockPassword,
+			u.ID,
+			u.Username,
+			u.Scope,
+			u.Locale,
+			u.ViewMode,
+			u.Perm.Admin,
+			u.Perm.Execute,
+			u.Perm.Create,
+			u.Perm.Rename,
+			u.Perm.Modify,
+			u.Perm.Delete,
+			u.Perm.Share,
+			u.Perm.Download,
+			u.LockPassword,
 		)
 	}

 	w.Flush()
 }

-func parseUsernameOrID(arg string) (string, uint) {
-	id, err := strconv.ParseUint(arg, 10, 0)
+func parseUsernameOrID(arg string) (username string, id uint) {
+	id64, err := strconv.ParseUint(arg, 10, 0)
 	if err != nil {
 		return arg, 0
 	}
-	return "", uint(id)
+	return "", uint(id64)
 }

 func addUserFlags(flags *pflag.FlagSet) {
@@ -84,6 +85,7 @@ func getViewMode(flags *pflag.FlagSet) users.ViewMode {
 	return viewMode
 }

+//nolint:gocyclo
 func getUserDefaults(flags *pflag.FlagSet, defaults *settings.UserDefaults, all bool) {
 	visit := func(flag *pflag.Flag) {
 		switch flag.Name {
--- a/cmd/users_add.go
+++ b/cmd/users_add.go
@@ -1,8 +1,9 @@
 package cmd

 import (
-	"github.com/filebrowser/filebrowser/v2/users"
 	"github.com/spf13/cobra"
+
+	"github.com/filebrowser/filebrowser/v2/users"
 )

 func init() {
@@ -14,7 +15,7 @@ var usersAddCmd = &cobra.Command{
 	Use:   "add <username> <password>",
 	Short: "Create a new user",
 	Long:  `Create a new user and add it to the database.`,
-	Args:  cobra.ExactArgs(2),
+	Args:  cobra.ExactArgs(2), //nolint:mnd
 	Run: python(func(cmd *cobra.Command, args []string, d pythonData) {
 		s, err := d.store.Settings.Get()
 		checkErr(err)
@@ -33,9 +34,9 @@ var usersAddCmd = &cobra.Command{

 		servSettings, err := d.store.Settings.GetServer()
 		checkErr(err)
-		//since getUserDefaults() polluted s.Defaults.Scope
-		//which makes the Scope not the one saved in the db
-		//we need the right s.Defaults.Scope here
+		// since getUserDefaults() polluted s.Defaults.Scope
+		// which makes the Scope not the one saved in the db
+		// we need the right s.Defaults.Scope here
 		s2, err := d.store.Settings.Get()
 		checkErr(err)

--- a/cmd/users_find.go
+++ b/cmd/users_find.go
@@ -1,8 +1,9 @@
 package cmd

 import (
-	"github.com/filebrowser/filebrowser/v2/users"
 	"github.com/spf13/cobra"
+
+	"github.com/filebrowser/filebrowser/v2/users"
 )

 func init() {
--- a/cmd/users_import.go
+++ b/cmd/users_import.go
@@ -2,11 +2,13 @@ package cmd

 import (
 	"errors"
+	"fmt"
 	"os"
 	"strconv"

-	"github.com/filebrowser/filebrowser/v2/users"
 	"github.com/spf13/cobra"
+
+	"github.com/filebrowser/filebrowser/v2/users"
 )

 func init() {
@@ -65,8 +67,7 @@ list or set it to 0.`,
 				// with the new username. If there is, print an error and cancel the
 				// operation
 				if user.Username != onDB.Username {
-					conflictuous, err := d.store.Users.Get("", user.Username)
-					if err == nil {
+					if conflictuous, err := d.store.Users.Get("", user.Username); err == nil { //nolint:shadow
 						checkErr(usernameConflictError(user.Username, conflictuous.ID, user.ID))
 					}
 				}
@@ -82,6 +83,7 @@ list or set it to 0.`,
 	}, pythonConfig{}),
 }

-func usernameConflictError(username string, original, new uint) error {
-	return errors.New("can't import user with ID " + strconv.Itoa(int(new)) + " and username \"" + username + "\" because the username is already registred with the user " + strconv.Itoa(int(original)))
+func usernameConflictError(username string, originalID, newID uint) error {
+	return fmt.Errorf(`can't import user with ID %d and username "%s" because the username is already registred with the user %d`,
+		newID, username, originalID)
 }
--- a/cmd/users_update.go
+++ b/cmd/users_update.go
@@ -1,9 +1,10 @@
 package cmd

 import (
+	"github.com/spf13/cobra"
+
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/users"
-	"github.com/spf13/cobra"
 )

 func init() {
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -9,12 +9,13 @@ import (
 	"path/filepath"

 	"github.com/asdine/storm"
-	"github.com/filebrowser/filebrowser/v2/settings"
-	"github.com/filebrowser/filebrowser/v2/storage"
-	"github.com/filebrowser/filebrowser/v2/storage/bolt"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	yaml "gopkg.in/yaml.v2"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/storage"
+	"github.com/filebrowser/filebrowser/v2/storage/bolt"
 )

 func checkErr(err error) {
@@ -70,7 +71,9 @@ func dbExists(path string) (bool, error) {
 		d := filepath.Dir(path)
 		_, err = os.Stat(d)
 		if os.IsNotExist(err) {
-			os.MkdirAll(d, 0700)
+			if err := os.MkdirAll(d, 0700); err != nil { //nolint:shadow
+				return false, err
+			}
 			return false, nil
 		}
 	}
@@ -113,7 +116,7 @@ func marshal(filename string, data interface{}) error {
 		encoder := json.NewEncoder(fd)
 		encoder.SetIndent("", "    ")
 		return encoder.Encode(data)
-	case ".yml", ".yaml":
+	case ".yml", ".yaml": //nolint:goconst
 		encoder := yaml.NewEncoder(fd)
 		return encoder.Encode(data)
 	default:
--- a/cmd/version.go
+++ b/cmd/version.go
@@ -3,8 +3,9 @@ package cmd
 import (
 	"fmt"

-	"github.com/filebrowser/filebrowser/v2/version"
 	"github.com/spf13/cobra"
+
+	"github.com/filebrowser/filebrowser/v2/version"
 )

 func init() {
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -3,15 +3,17 @@ package errors
 import "errors"

 var (
-	ErrEmptyKey          = errors.New("empty key")
-	ErrExist             = errors.New("the resource already exists")
-	ErrNotExist          = errors.New("the resource does not exist")
-	ErrEmptyPassword     = errors.New("password is empty")
-	ErrEmptyUsername     = errors.New("username is empty")
-	ErrEmptyRequest      = errors.New("empty request")
-	ErrScopeIsRelative   = errors.New("scope is a relative path")
-	ErrInvalidDataType   = errors.New("invalid data type")
-	ErrIsDirectory       = errors.New("file is directory")
-	ErrInvalidOption     = errors.New("invalid option")
-	ErrInvalidAuthMethod = errors.New("invalid auth method")
+	ErrEmptyKey             = errors.New("empty key")
+	ErrExist                = errors.New("the resource already exists")
+	ErrNotExist             = errors.New("the resource does not exist")
+	ErrEmptyPassword        = errors.New("password is empty")
+	ErrEmptyUsername        = errors.New("username is empty")
+	ErrEmptyRequest         = errors.New("empty request")
+	ErrScopeIsRelative      = errors.New("scope is a relative path")
+	ErrInvalidDataType      = errors.New("invalid data type")
+	ErrIsDirectory          = errors.New("file is directory")
+	ErrInvalidOption        = errors.New("invalid option")
+	ErrInvalidAuthMethod    = errors.New("invalid auth method")
+	ErrPermissionDenied     = errors.New("permission denied")
+	ErrInvalidRequestParams = errors.New("invalid request params")
 )
--- a/files/file.go
+++ b/files/file.go
@@ -1,8 +1,8 @@
 package files

 import (
-	"crypto/md5"
-	"crypto/sha1"
+	"crypto/md5"  //nolint:gosec
+	"crypto/sha1" //nolint:gosec
 	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/hex"
@@ -17,9 +17,10 @@ import (
 	"strings"
 	"time"

+	"github.com/spf13/afero"
+
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/rules"
-	"github.com/spf13/afero"
 )

 // FileInfo describes a file.
@@ -74,7 +75,10 @@ func NewFileInfo(opts FileOptions) (*FileInfo, error) {

 	if opts.Expand {
 		if file.IsDir {
-			return file, file.readListing(opts.Checker)
+			if err := file.readListing(opts.Checker); err != nil { //nolint:shadow
+				return nil, err
+			}
+			return file, nil
 		}

 		err = file.detectType(opts.Modify, true)
@@ -105,6 +109,7 @@ func (i *FileInfo) Checksum(algo string) error {

 	var h hash.Hash

+	//nolint:gosec
 	switch algo {
 	case "md5":
 		h = md5.New()
@@ -127,6 +132,8 @@ func (i *FileInfo) Checksum(algo string) error {
 	return nil
 }

+//nolint:goconst
+//TODO: use constants
 func (i *FileInfo) detectType(modify, saveContent bool) error {
 	// failing to detect the type should not return error.
 	// imagine the situation where a file in a dir with thousands
@@ -198,9 +205,9 @@ func (i *FileInfo) detectSubtitles() {

 	// TODO: detect multiple languages. Base.Lang.vtt

-	path := strings.TrimSuffix(i.Path, ext) + ".vtt"
-	if _, err := i.Fs.Stat(path); err == nil {
-		i.Subtitles = append(i.Subtitles, path)
+	fPath := strings.TrimSuffix(i.Path, ext) + ".vtt"
+	if _, err := i.Fs.Stat(fPath); err == nil {
+		i.Subtitles = append(i.Subtitles, fPath)
 	}
 }

@@ -219,16 +226,16 @@ func (i *FileInfo) readListing(checker rules.Checker) error {

 	for _, f := range dir {
 		name := f.Name()
-		path := path.Join(i.Path, name)
+		fPath := path.Join(i.Path, name)

-		if !checker.Check(path) {
+		if !checker.Check(fPath) {
 			continue
 		}

 		if strings.HasPrefix(f.Mode().String(), "L") {
 			// It's a symbolic link. We try to follow it. If it doesn't work,
 			// we stay with the link information instead if the target's.
-			info, err := i.Fs.Stat(path)
+			info, err := i.Fs.Stat(fPath)
 			if err == nil {
 				f = info
 			}
@@ -242,7 +249,7 @@ func (i *FileInfo) readListing(checker rules.Checker) error {
 			Mode:      f.Mode(),
 			IsDir:     f.IsDir(),
 			Extension: filepath.Ext(name),
-			Path:      path,
+			Path:      fPath,
 		}

 		if file.IsDir {
--- a/files/listing.go
+++ b/files/listing.go
@@ -16,8 +16,10 @@ type Listing struct {
 }

 // ApplySort applies the sort order using .Order and .Sort
+//nolint:goconst
 func (l Listing) ApplySort() {
 	// Check '.Order' to know how to sort
+	// TODO: use enum
 	if !l.Sorting.Asc {
 		switch l.Sorting.By {
 		case "name":
--- a/files/utils.go
+++ b/files/utils.go
@@ -4,41 +4,45 @@ import (
 	"unicode/utf8"
 )

-func isBinary(content []byte, n int) bool {
+func isBinary(content []byte, _ int) bool {
 	maybeStr := string(content)
 	runeCnt := utf8.RuneCount(content)
 	runeIndex := 0
 	gotRuneErrCnt := 0
 	firstRuneErrIndex := -1

-	for _, b := range maybeStr {
+	const (
 		// 8 and below are control chars (e.g. backspace, null, eof, etc)
-		if b <= 8 {
+		maxControlCharsCode = 8
+		// 0xFFFD(65533) is  the "error" Rune or "Unicode replacement character"
+		// see https://golang.org/pkg/unicode/utf8/#pkg-constants
+		unicodeReplacementChar = 0xFFFD
+	)
+
+	for _, b := range maybeStr {
+		if b <= maxControlCharsCode {
 			return true
 		}

-		// 0xFFFD(65533) is  the "error" Rune or "Unicode replacement character"
-		// see https://golang.org/pkg/unicode/utf8/#pkg-constants
-		if b == 0xFFFD {
-			//if it is not the last (utf8.UTFMax - x) rune
+		if b == unicodeReplacementChar {
+			// if it is not the last (utf8.UTFMax - x) rune
 			if runeCnt > utf8.UTFMax && runeIndex < runeCnt-utf8.UTFMax {
 				return true
-			} else {
-				//else it is the last (utf8.UTFMax - x) rune
-				//there maybe Vxxx, VVxx, VVVx, thus, we may got max 3 0xFFFD rune (asume V is the byte we got)
-				//for Chinese, it can only be Vxx, VVx, we may got max 2 0xFFFD rune
-				gotRuneErrCnt++
+			}
+			// else it is the last (utf8.UTFMax - x) rune
+			// there maybe Vxxx, VVxx, VVVx, thus, we may got max 3 0xFFFD rune (assume V is the byte we got)
+			// for Chinese, it can only be Vxx, VVx, we may got max 2 0xFFFD rune
+			gotRuneErrCnt++

-				//mark the first time
-				if firstRuneErrIndex == -1 {
-					firstRuneErrIndex = runeIndex
-				}
+			// mark the first time
+			if firstRuneErrIndex == -1 {
+				firstRuneErrIndex = runeIndex
 			}
 		}
 		runeIndex++
 	}

-	//if last (utf8.UTFMax - x ) rune has the "error" Rune, but not all
+	// if last (utf8.UTFMax - x ) rune has the "error" Rune, but not all
 	if firstRuneErrIndex != -1 && gotRuneErrCnt != runeCnt-firstRuneErrIndex {
 		return true
 	}
--- a/fileutils/dir.go
+++ b/fileutils/dir.go
@@ -9,7 +9,7 @@ import (
 // CopyDir copies a directory from source to dest and all
 // of its sub-directories. It doesn't stop if it finds an error
 // during the copy. Returns an error if any.
-func CopyDir(fs afero.Fs, source string, dest string) error {
+func CopyDir(fs afero.Fs, source, dest string) error {
 	// Get properties of source.
 	srcinfo, err := fs.Stat(source)
 	if err != nil {
--- a/fileutils/file.go
+++ b/fileutils/file.go
@@ -9,7 +9,7 @@ import (

 // CopyFile copies a file from source to dest and returns
 // an error if any.
-func CopyFile(fs afero.Fs, source string, dest string) error {
+func CopyFile(fs afero.Fs, source, dest string) error {
 	// Open the source file.
 	src, err := fs.Open(source)
 	if err != nil {
--- a/frontend/public/index.html
+++ b/frontend/public/index.html
@@ -11,8 +11,8 @@

  <title>[{[ if .Name -]}][{[ .Name ]}][{[ else ]}]File Browser[{[ end ]}]</title>

-  <link rel="icon" type="image/png" sizes="32x32" href="/[{[ .StaticURL ]}]/img/icons/favicon-32x32.png">
-  <link rel="icon" type="image/png" sizes="16x16" href="/[{[ .StaticURL ]}]/img/icons/favicon-16x16.png">
+  <link rel="icon" type="image/png" sizes="32x32" href="[{[ .StaticURL ]}]/img/icons/favicon-32x32.png">
+  <link rel="icon" type="image/png" sizes="16x16" href="[{[ .StaticURL ]}]/img/icons/favicon-16x16.png">
  <!-- Add to home screen for Android and modern mobile browsers -->
  <link rel="manifest" id="manifestPlaceholder" crossorigin="use-credentials">
  <meta name="theme-color" content="#2979ff">
@@ -21,17 +21,17 @@
  <meta name="apple-mobile-web-app-capable" content="yes">
  <meta name="apple-mobile-web-app-status-bar-style" content="black">
  <meta name="apple-mobile-web-app-title" content="assets">
-  <link rel="apple-touch-icon" href="/[{[ .StaticURL ]}]/img/icons/apple-touch-icon-152x152.png">
+  <link rel="apple-touch-icon" href="[{[ .StaticURL ]}]/img/icons/apple-touch-icon-152x152.png">

  <!-- Add to home screen for Windows -->
-  <meta name="msapplication-TileImage" content="/[{[ .StaticURL ]}]/img/icons/msapplication-icon-144x144.png">
+  <meta name="msapplication-TileImage" content="[{[ .StaticURL ]}]/img/icons/msapplication-icon-144x144.png">
  <meta name="msapplication-TileColor" content="#2979ff">

  <!-- Inject Some Variables and generate the manifest json -->
  <script>
    window.FileBrowser = JSON.parse(`[{[ .Json ]}]`);
    
-    var fullStaticURL = window.location.origin + "/" + window.FileBrowser.StaticURL; 
+    var fullStaticURL = window.location.origin + window.FileBrowser.StaticURL;
    var dynamicManifest = {
      "name": window.FileBrowser.Name || 'File Browser',
      "short_name": window.FileBrowser.Name || 'File Browser',
@@ -134,10 +134,10 @@
  </div>

  [{[ if .Theme -]}]
-    <link rel="stylesheet" href="/[{[ .StaticURL ]}]/themes/[{[ .Theme ]}].css" />
+    <link rel="stylesheet" href="[{[ .StaticURL ]}]/themes/[{[ .Theme ]}].css" />
  [{[ end ]}]
  [{[ if .CSS -]}]
-    <link rel="stylesheet" href="/[{[ .StaticURL ]}]/custom.css" />
+    <link rel="stylesheet" href="[{[ .StaticURL ]}]/custom.css" />
  [{[ end ]}]
 </body>
 </html>
--- a/frontend/src/components/files/ListingItem.vue
+++ b/frontend/src/components/files/ListingItem.vue
@@ -2,7 +2,7 @@
  <div class="item"
  role="button"
  tabindex="0"
-  draggable="true"
+  :draggable="isDraggable"
  @dragstart="dragStart"
  @dragover="dragOver"
  @drop="drop"
@@ -44,7 +44,7 @@ export default {
  },
  props: ['name', 'isDir', 'url', 'type', 'size', 'modified', 'index'],
  computed: {
-    ...mapState(['selected', 'req']),
+    ...mapState(['selected', 'req', 'user']),
    ...mapGetters(['selectedCount']),
    isSelected () {
      return (this.selected.indexOf(this.index) !== -1)
@@ -56,6 +56,9 @@ export default {
      if (this.type === 'video') return 'movie'
      return 'insert_drive_file'
    },
+    isDraggable () {
+      return this.user.perm.rename
+    },
    canDrop () {
      if (!this.isDir) return false

--- a/frontend/src/utils/constants.js
+++ b/frontend/src/utils/constants.js
@@ -6,7 +6,7 @@ const recaptcha = window.FileBrowser.ReCaptcha
 const recaptchaKey = window.FileBrowser.ReCaptchaKey
 const signup = window.FileBrowser.Signup
 const version = window.FileBrowser.Version
-const logoURL = `/${staticURL}/img/logo.svg`
+const logoURL = `${staticURL}/img/logo.svg`
 const noAuth = window.FileBrowser.NoAuth
 const authMethod = window.FileBrowser.AuthMethod
 const loginPage = window.FileBrowser.LoginPage
--- a/go.mod
+++ b/go.mod
@@ -28,12 +28,13 @@ require (
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	go.etcd.io/bbolt v1.3.3
-	golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529
-	golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862 // indirect
+	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37
+	golang.org/x/net v0.0.0-20200528225125-3c3fba18258b // indirect
+	golang.org/x/sys v0.0.0-20200523222454-059865788121 // indirect
 	golang.org/x/text v0.3.2 // indirect
 	google.golang.org/appengine v1.5.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v2 v2.2.7
 )

-go 1.13
+go 1.14
--- a/go.sum
+++ b/go.sum
@@ -237,8 +237,8 @@ golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25 h1:jsG6UpNLt9iAsb0S2AGW28DveNzzgmbXR+ENoPjUeIU=
 golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529 h1:iMGN4xG0cnqj3t+zOM8wUB0BiPKHEwSxEZCvzcbZuvk=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10Rvpy94aQh3LT/ShoCpkHw=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225 h1:kNX+jCowfMYzvlSvJu5pQWEmyWFrBXJ3PBy10xKMXK8=
@@ -254,6 +254,8 @@ golang.org/x/net v0.0.0-20190328230028-74de082e2cca/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092 h1:4QSRKanuywn15aTZvI/mIDEgPQpswuFndXpOj3rKEco=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20200528225125-3c3fba18258b h1:IYiJPiJfzktmDAO1HQiwjMjwjlYKHAL7KzeD544RJPs=
+golang.org/x/net v0.0.0-20200528225125-3c3fba18258b/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -271,8 +273,9 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190228124157-a34e9553db1e h1:ZytStCyV048ZqDsWHiYDdoI2Vd4msMcrDECFxS+tL9c=
 golang.org/x/sys v0.0.0-20190228124157-a34e9553db1e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862 h1:rM0ROo5vb9AdYJi1110yjWGMej9ITfKddS89P3Fkhug=
-golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121 h1:rITEj+UZHYC927n8GT97eC3zrpzXdb/voyeOuVKS46o=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
--- a/http/auth.go
+++ b/http/auth.go
@@ -10,10 +10,15 @@ import (

 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/dgrijalva/jwt-go/request"
+
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/users"
 )

+const (
+	TokenExpirationTime = time.Hour * 2
+)
+
 type userInfo struct {
 	ID           uint              `json:"id"`
 	Locale       string            `json:"locale"`
@@ -161,7 +166,7 @@ var renewHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data
 	return printToken(w, r, d, d.user)
 })

-func printToken(w http.ResponseWriter, r *http.Request, d *data, user *users.User) (int, error) {
+func printToken(w http.ResponseWriter, _ *http.Request, d *data, user *users.User) (int, error) {
 	claims := &authToken{
 		User: userInfo{
 			ID:           user.ID,
@@ -173,7 +178,7 @@ func printToken(w http.ResponseWriter, r *http.Request, d *data, user *users.Use
 		},
 		StandardClaims: jwt.StandardClaims{
 			IssuedAt:  time.Now().Unix(),
-			ExpiresAt: time.Now().Add(time.Hour * 2).Unix(),
+			ExpiresAt: time.Now().Add(TokenExpirationTime).Unix(),
 			Issuer:    "File Browser",
 		},
 	}
@@ -185,6 +190,8 @@ func printToken(w http.ResponseWriter, r *http.Request, d *data, user *users.Use
 	}

 	w.Header().Set("Content-Type", "cty")
-	w.Write([]byte(signed))
+	if _, err := w.Write([]byte(signed)); err != nil {
+		return http.StatusInternalServerError, err
+	}
 	return 0, nil
 }
--- a/http/commands.go
+++ b/http/commands.go
@@ -9,8 +9,13 @@ import (
 	"strings"
 	"time"

-	"github.com/filebrowser/filebrowser/v2/runner"
 	"github.com/gorilla/websocket"
+
+	"github.com/filebrowser/filebrowser/v2/runner"
+)
+
+const (
+	WSWriteDeadline = 10 * time.Second
 )

 var upgrader = websocket.Upgrader{
@@ -22,12 +27,14 @@ var (
 	cmdNotAllowed = []byte("Command not allowed.")
 )

-func wsErr(ws *websocket.Conn, r *http.Request, status int, err error) {
+func wsErr(ws *websocket.Conn, r *http.Request, status int, err error) { //nolint:unparam
 	txt := http.StatusText(status)
 	if err != nil || status >= 400 {
 		log.Printf("%s: %v %s %v", r.URL.Path, status, r.RemoteAddr, err)
 	}
-	ws.WriteControl(websocket.CloseInternalServerErr, []byte(txt), time.Now().Add(10*time.Second))
+	if err := ws.WriteControl(websocket.CloseInternalServerErr, []byte(txt), time.Now().Add(WSWriteDeadline)); err != nil { //nolint:shadow
+		log.Print(err)
+	}
 }

 var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
@@ -40,7 +47,7 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d
 	var raw string

 	for {
-		_, msg, err := conn.ReadMessage()
+		_, msg, err := conn.ReadMessage() //nolint:shadow
 		if err != nil {
 			wsErr(conn, r, http.StatusInternalServerError, err)
 			return 0, nil
@@ -53,8 +60,7 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d
 	}

 	if !d.user.CanExecute(strings.Split(raw, " ")[0]) {
-		err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed)
-		if err != nil {
+		if err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed); err != nil { //nolint:shadow
 			wsErr(conn, r, http.StatusInternalServerError, err)
 		}

@@ -63,15 +69,13 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d

 	command, err := runner.ParseCommand(d.settings, raw)
 	if err != nil {
-		err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error()))
-		if err != nil {
+		if err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error())); err != nil { //nolint:shadow
 			wsErr(conn, r, http.StatusInternalServerError, err)
 		}
-
 		return 0, nil
 	}

-	cmd := exec.Command(command[0], command[1:]...)
+	cmd := exec.Command(command[0], command[1:]...) //nolint:gosec
 	cmd.Dir = d.user.FullPath(r.URL.Path)

 	stdout, err := cmd.StdoutPipe()
@@ -93,7 +97,9 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d

 	s := bufio.NewScanner(io.MultiReader(stdout, stderr))
 	for s.Scan() {
-		conn.WriteMessage(websocket.TextMessage, s.Bytes())
+		if err := conn.WriteMessage(websocket.TextMessage, s.Bytes()); err != nil {
+			log.Print(err)
+		}
 	}

 	if err := cmd.Wait(); err != nil {
--- a/http/data.go
+++ b/http/data.go
@@ -41,9 +41,9 @@ func (d *data) Check(path string) bool {
 	return true
 }

-func handle(fn handleFunc, prefix string, storage *storage.Storage, server *settings.Server) http.Handler {
+func handle(fn handleFunc, prefix string, store *storage.Storage, server *settings.Server) http.Handler {
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		settings, err := storage.Settings.Get()
+		settings, err := store.Settings.Get()
 		if err != nil {
 			log.Fatalln("ERROR: couldn't get settings")
 			return
@@ -51,7 +51,7 @@ func handle(fn handleFunc, prefix string, storage *storage.Storage, server *sett

 		status, err := fn(w, r, &data{
 			Runner:   &runner.Runner{Settings: settings},
-			store:    storage,
+			store:    store,
 			settings: settings,
 			server:   server,
 		})
--- a/http/http.go
+++ b/http/http.go
@@ -3,9 +3,10 @@ package http
 import (
 	"net/http"

+	"github.com/gorilla/mux"
+
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/storage"
-	"github.com/gorilla/mux"
 )

 type modifyRequest struct {
@@ -13,11 +14,11 @@ type modifyRequest struct {
 	Which []string `json:"which"` // Answer to: which fields?
 }

-func NewHandler(storage *storage.Storage, server *settings.Server) (http.Handler, error) {
+func NewHandler(store *storage.Storage, server *settings.Server) (http.Handler, error) {
 	server.Clean()

 	r := mux.NewRouter()
-	index, static := getStaticHandlers(storage, server)
+	index, static := getStaticHandlers(store, server)

 	// NOTE: This fixes the issue where it would redirect if people did not put a
 	// trailing slash in the end. I hate this decision since this allows some awful
@@ -25,7 +26,7 @@ func NewHandler(storage *storage.Storage, server *settings.Server) (http.Handler
 	r = r.SkipClean(true)

 	monkey := func(fn handleFunc, prefix string) http.Handler {
-		return handle(fn, prefix, storage, server)
+		return handle(fn, prefix, store, server)
 	}

 	r.PathPrefix("/static").Handler(static)
--- a/http/public.go
+++ b/http/public.go
@@ -46,7 +46,7 @@ func ifPathWithName(r *http.Request) string {
 	pathElements := strings.Split(r.URL.Path, "/")
 	// prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name`
 	// len(pathElements) will be 1, and golang will panic `runtime error: index out of range`
-	if len(pathElements) < 2 {
+	if len(pathElements) < 2 { //nolint: mnd
 		return r.URL.Path
 	}
 	id := pathElements[len(pathElements)-2]
--- a/http/raw.go
+++ b/http/raw.go
@@ -7,34 +7,37 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/filebrowser/filebrowser/v2/files"
-	"github.com/filebrowser/filebrowser/v2/users"
 	"github.com/hacdias/fileutils"
 	"github.com/mholt/archiver"
+
+	"github.com/filebrowser/filebrowser/v2/files"
+	"github.com/filebrowser/filebrowser/v2/users"
 )

-func parseQueryFiles(r *http.Request, f *files.FileInfo, u *users.User) ([]string, error) {
-	files := []string{}
+func parseQueryFiles(r *http.Request, f *files.FileInfo, _ *users.User) ([]string, error) {
+	var fileSlice []string
 	names := strings.Split(r.URL.Query().Get("files"), ",")

 	if len(names) == 0 {
-		files = append(files, f.Path)
+		fileSlice = append(fileSlice, f.Path)
 	} else {
 		for _, name := range names {
-			name, err := url.QueryUnescape(strings.Replace(name, "+", "%2B", -1))
+			name, err := url.QueryUnescape(strings.Replace(name, "+", "%2B", -1)) //nolint:shadow
 			if err != nil {
 				return nil, err
 			}

 			name = fileutils.SlashClean(name)
-			files = append(files, filepath.Join(f.Path, name))
+			fileSlice = append(fileSlice, filepath.Join(f.Path, name))
 		}
 	}

-	return files, nil
+	return fileSlice, nil
 }

+//nolint: goconst
 func parseQueryAlgorithm(r *http.Request) (string, archiver.Writer, error) {
+	// TODO: use enum
 	switch r.URL.Query().Get("algo") {
 	case "zip", "true", "":
 		return ".zip", archiver.NewZip(), nil
--- a/http/resource.go
+++ b/http/resource.go
@@ -9,9 +9,8 @@ import (
 	"os"
 	"strings"

-	"github.com/filebrowser/filebrowser/v2/files"
-
 	"github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/files"
 	"github.com/filebrowser/filebrowser/v2/fileutils"
 )

@@ -74,7 +73,7 @@ var resourcePostPutHandler = withUser(func(w http.ResponseWriter, r *http.Reques
 	}

 	defer func() {
-		io.Copy(ioutil.Discard, r.Body)
+		_, _ = io.Copy(ioutil.Discard, r.Body)
 	}()

 	// For directories, only allow POST for creation.
@@ -133,25 +132,22 @@ var resourcePatchHandler = withUser(func(w http.ResponseWriter, r *http.Request,
 		return http.StatusForbidden, nil
 	}

-	switch action {
-	case "copy":
-		if !d.user.Perm.Create {
-			return http.StatusForbidden, nil
-		}
-	case "rename":
-	default:
-		action = "rename"
-		if !d.user.Perm.Rename {
-			return http.StatusForbidden, nil
-		}
-	}
-
 	err = d.RunHook(func() error {
-		if action == "copy" {
+		switch action {
+		// TODO: use enum
+		case "copy":
+			if !d.user.Perm.Create {
+				return errors.ErrPermissionDenied
+			}
 			return fileutils.Copy(d.user.Fs, src, dst)
+		case "rename":
+			if !d.user.Perm.Rename {
+				return errors.ErrPermissionDenied
+			}
+			return d.user.Fs.Rename(src, dst)
+		default:
+			return fmt.Errorf("unsupported action %s: %w", action, errors.ErrInvalidRequestParams)
 		}
-
-		return d.user.Fs.Rename(src, dst)
 	}, action, src, dst, d.user)

 	return errToStatus(err), err
--- a/http/share.go
+++ b/http/share.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"net/http"
+	"path"
 	"strconv"
 	"strings"
 	"time"
@@ -56,7 +57,9 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request
 		var err error
 		s, err = d.store.Share.GetPermanent(r.URL.Path, d.user.ID)
 		if err == nil {
-			w.Write([]byte(d.server.BaseURL + "/share/" + s.Hash))
+			if _, err := w.Write([]byte(path.Join(d.server.BaseURL, "/share/", s.Hash))); err != nil {
+				return http.StatusInternalServerError, err
+			}
 			return 0, nil
 		}
 	}
--- a/http/static.go
+++ b/http/static.go
@@ -5,22 +5,22 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"text/template"

 	rice "github.com/GeertJohan/go.rice"
+
 	"github.com/filebrowser/filebrowser/v2/auth"
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/storage"
 	"github.com/filebrowser/filebrowser/v2/version"
 )

-func handleWithStaticData(w http.ResponseWriter, r *http.Request, d *data, box *rice.Box, file, contentType string) (int, error) {
+func handleWithStaticData(w http.ResponseWriter, _ *http.Request, d *data, box *rice.Box, file, contentType string) (int, error) {
 	w.Header().Set("Content-Type", contentType)

-	staticURL := strings.TrimPrefix(d.server.BaseURL+"/static", "/")
-
 	auther, err := d.store.Auth.Get(d.settings.AuthMethod)
 	if err != nil {
 		return http.StatusInternalServerError, err
@@ -31,7 +31,7 @@ func handleWithStaticData(w http.ResponseWriter, r *http.Request, d *data, box *
 		"DisableExternal": d.settings.Branding.DisableExternal,
 		"BaseURL":         d.server.BaseURL,
 		"Version":         version.Version,
-		"StaticURL":       staticURL,
+		"StaticURL":       path.Join(d.server.BaseURL, "/static"),
 		"Signup":          d.settings.Signup,
 		"NoAuth":          d.settings.AuthMethod == auth.MethodNoAuth,
 		"AuthMethod":      d.settings.AuthMethod,
@@ -42,8 +42,8 @@ func handleWithStaticData(w http.ResponseWriter, r *http.Request, d *data, box *
 	}

 	if d.settings.Branding.Files != "" {
-		path := filepath.Join(d.settings.Branding.Files, "custom.css")
-		_, err := os.Stat(path)
+		fPath := filepath.Join(d.settings.Branding.Files, "custom.css")
+		_, err := os.Stat(fPath) //nolint:shadow

 		if err != nil && !os.IsNotExist(err) {
 			log.Printf("couldn't load custom styles: %v", err)
@@ -55,7 +55,7 @@ func handleWithStaticData(w http.ResponseWriter, r *http.Request, d *data, box *
 	}

 	if d.settings.AuthMethod == auth.MethodJSONAuth {
-		raw, err := d.store.Auth.Get(d.settings.AuthMethod)
+		raw, err := d.store.Auth.Get(d.settings.AuthMethod) //nolint:shadow
 		if err != nil {
 			return http.StatusInternalServerError, err
 		}
@@ -85,29 +85,29 @@ func handleWithStaticData(w http.ResponseWriter, r *http.Request, d *data, box *
 	return 0, nil
 }

-func getStaticHandlers(storage *storage.Storage, server *settings.Server) (http.Handler, http.Handler) {
+func getStaticHandlers(store *storage.Storage, server *settings.Server) (index, static http.Handler) {
 	box := rice.MustFindBox("../frontend/dist")
 	handler := http.FileServer(box.HTTPBox())

-	index := handle(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	index = handle(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 		if r.Method != http.MethodGet {
 			return http.StatusNotFound, nil
 		}

 		w.Header().Set("x-xss-protection", "1; mode=block")
 		return handleWithStaticData(w, r, d, box, "index.html", "text/html; charset=utf-8")
-	}, "", storage, server)
+	}, "", store, server)

-	static := handle(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	static = handle(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 		if r.Method != http.MethodGet {
 			return http.StatusNotFound, nil
 		}

 		if d.settings.Branding.Files != "" {
 			if strings.HasPrefix(r.URL.Path, "img/") {
-				path := filepath.Join(d.settings.Branding.Files, r.URL.Path)
-				if _, err := os.Stat(path); err == nil {
-					http.ServeFile(w, r, path)
+				fPath := filepath.Join(d.settings.Branding.Files, r.URL.Path)
+				if _, err := os.Stat(fPath); err == nil {
+					http.ServeFile(w, r, fPath)
 					return 0, nil
 				}
 			} else if r.URL.Path == "custom.css" && d.settings.Branding.Files != "" {
@@ -122,7 +122,7 @@ func getStaticHandlers(storage *storage.Storage, server *settings.Server) (http.
 		}

 		return handleWithStaticData(w, r, d, box, r.URL.Path, "application/javascript; charset=utf-8")
-	}, "/static/", storage, server)
+	}, "/static/", store, server)

 	return index, static
 }
--- a/http/users.go
+++ b/http/users.go
@@ -8,9 +8,10 @@ import (
 	"strconv"
 	"strings"

+	"github.com/gorilla/mux"
+
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/users"
-	"github.com/gorilla/mux"
 )

 type modifyUserRequest struct {
@@ -27,7 +28,7 @@ func getUserID(r *http.Request) (uint, error) {
 	return uint(i), err
 }

-func getUser(w http.ResponseWriter, r *http.Request) (*modifyUserRequest, error) {
+func getUser(_ http.ResponseWriter, r *http.Request) (*modifyUserRequest, error) {
 	if r.Body == nil {
 		return nil, errors.ErrEmptyRequest
 	}
--- a/http/utils.go
+++ b/http/utils.go
@@ -2,15 +2,16 @@ package http

 import (
 	"encoding/json"
+	"errors"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"

-	"github.com/filebrowser/filebrowser/v2/errors"
+	libErrors "github.com/filebrowser/filebrowser/v2/errors"
 )

-func renderJSON(w http.ResponseWriter, r *http.Request, data interface{}) (int, error) {
+func renderJSON(w http.ResponseWriter, _ *http.Request, data interface{}) (int, error) {
 	marsh, err := json.Marshal(data)

 	if err != nil {
@@ -31,10 +32,14 @@ func errToStatus(err error) int {
 		return http.StatusOK
 	case os.IsPermission(err):
 		return http.StatusForbidden
-	case os.IsNotExist(err), err == errors.ErrNotExist:
+	case os.IsNotExist(err), err == libErrors.ErrNotExist:
 		return http.StatusNotFound
-	case os.IsExist(err), err == errors.ErrExist:
+	case os.IsExist(err), err == libErrors.ErrExist:
 		return http.StatusConflict
+	case errors.Is(err, libErrors.ErrPermissionDenied):
+		return http.StatusForbidden
+	case errors.Is(err, libErrors.ErrInvalidRequestParams):
+		return http.StatusBadRequest
 	default:
 		return http.StatusInternalServerError
 	}
@@ -43,7 +48,7 @@ func errToStatus(err error) int {
 // This is an addaptation if http.StripPrefix in which we don't
 // return 404 if the page doesn't have the needed prefix.
 func stripPrefix(prefix string, h http.Handler) http.Handler {
-	if prefix == "" {
+	if prefix == "" || prefix == "/" {
 		return h
 	}

--- a/runner/parser.go
+++ b/runner/parser.go
@@ -3,15 +3,16 @@ package runner
 import (
 	"os/exec"

-	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/caddyserver/caddy"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
 )

 // ParseCommand parses the command taking in account if the current
 // instance uses a shell to run the commands or just calls the binary
 // directyly.
 func ParseCommand(s *settings.Settings, raw string) ([]string, error) {
-	command := []string{}
+	var command []string

 	if len(s.Shell) == 0 {
 		cmd, args, err := caddy.SplitCommandAndArgs(raw)
@@ -27,7 +28,7 @@ func ParseCommand(s *settings.Settings, raw string) ([]string, error) {
 		command = append(command, cmd)
 		command = append(command, args...)
 	} else {
-		command = append(s.Shell, raw)
+		command = append(s.Shell, raw) //nolint:gocritic
 	}

 	return command, nil
--- a/runner/runner.go
+++ b/runner/runner.go
@@ -60,9 +60,9 @@ func (r *Runner) exec(raw, evt, path, dst string, user *users.User) error {
 		return err
 	}

-	cmd := exec.Command(command[0], command[1:]...)
+	cmd := exec.Command(command[0], command[1:]...) //nolint:gosec
 	cmd.Env = append(os.Environ(), fmt.Sprintf("FILE=%s", path))
-	cmd.Env = append(cmd.Env, fmt.Sprintf("SCOPE=%s", user.Scope))
+	cmd.Env = append(cmd.Env, fmt.Sprintf("SCOPE=%s", user.Scope)) //nolint:gocritic
 	cmd.Env = append(cmd.Env, fmt.Sprintf("TRIGGER=%s", evt))
 	cmd.Env = append(cmd.Env, fmt.Sprintf("USERNAME=%s", user.Username))
 	cmd.Env = append(cmd.Env, fmt.Sprintf("DESTINATION=%s", dst))
--- a/search/search.go
+++ b/search/search.go
@@ -4,8 +4,9 @@ import (
 	"os"
 	"strings"

-	"github.com/filebrowser/filebrowser/v2/rules"
 	"github.com/spf13/afero"
+
+	"github.com/filebrowser/filebrowser/v2/rules"
 )

 type searchOptions struct {
--- a/settings/dir.go
+++ b/settings/dir.go
@@ -17,21 +17,21 @@ var (
 )

 // MakeUserDir makes the user directory according to settings.
-func (settings *Settings) MakeUserDir(username, userScope, serverRoot string) (string, error) {
+func (s *Settings) MakeUserDir(username, userScope, serverRoot string) (string, error) {
 	var err error
 	userScope = strings.TrimSpace(userScope)
 	if userScope == "" || userScope == "./" {
 		userScope = "."
 	}

-	if !settings.CreateUserDir {
+	if !s.CreateUserDir {
 		return userScope, nil
 	}

 	fs := afero.NewBasePathFs(afero.NewOsFs(), serverRoot)

 	// Use the default auto create logic only if specific scope is not the default scope
-	if userScope != settings.Defaults.Scope {
+	if userScope != s.Defaults.Scope {
 		// Try create the dir, for example: settings.Defaults.Scope == "." and userScope == "./foo"
 		if userScope != "." {
 			err = fs.MkdirAll(userScope, os.ModePerm)
@@ -50,7 +50,7 @@ func (settings *Settings) MakeUserDir(username, userScope, serverRoot string) (s
 	}

 	// Create default user dir
-	userHomeBase := settings.Defaults.Scope + string(os.PathSeparator) + "users"
+	userHomeBase := s.Defaults.Scope + string(os.PathSeparator) + "users"
 	userHome := userHomeBase + string(os.PathSeparator) + username
 	err = fs.MkdirAll(userHome, os.ModePerm)
 	if err != nil {
--- a/share/storage.go
+++ b/share/storage.go
@@ -33,7 +33,9 @@ func (s *Storage) GetByHash(hash string) (*Link, error) {
 	}

 	if link.Expire != 0 && link.Expire <= time.Now().Unix() {
-		s.Delete(link.Hash)
+		if err := s.Delete(link.Hash); err != nil {
+			return nil, err
+		}
 		return nil, errors.ErrNotExist
 	}

@@ -55,7 +57,9 @@ func (s *Storage) Gets(path string, id uint) ([]*Link, error) {

 	for i, link := range links {
 		if link.Expire != 0 && link.Expire <= time.Now().Unix() {
-			s.Delete(link.Hash)
+			if err := s.Delete(link.Hash); err != nil {
+				return nil, err
+			}
 			links = append(links[:i], links[i+1:]...)
 		}
 	}
--- a/storage/bolt/auth.go
+++ b/storage/bolt/auth.go
@@ -2,6 +2,7 @@ package bolt

 import (
 	"github.com/asdine/storm"
+
 	"github.com/filebrowser/filebrowser/v2/auth"
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/settings"
--- a/storage/bolt/bolt.go
+++ b/storage/bolt/bolt.go
@@ -2,6 +2,7 @@ package bolt

 import (
 	"github.com/asdine/storm"
+
 	"github.com/filebrowser/filebrowser/v2/auth"
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/share"
@@ -11,10 +12,10 @@ import (

 // NewStorage creates a storage.Storage based on Bolt DB.
 func NewStorage(db *storm.DB) (*storage.Storage, error) {
-	users := users.NewStorage(usersBackend{db: db})
-	share := share.NewStorage(shareBackend{db: db})
-	settings := settings.NewStorage(settingsBackend{db: db})
-	auth := auth.NewStorage(authBackend{db: db}, users)
+	userStore := users.NewStorage(usersBackend{db: db})
+	shareStore := share.NewStorage(shareBackend{db: db})
+	settingsStore := settings.NewStorage(settingsBackend{db: db})
+	authStore := auth.NewStorage(authBackend{db: db}, userStore)

 	err := save(db, "version", 2)
 	if err != nil {
@@ -22,9 +23,9 @@ func NewStorage(db *storm.DB) (*storage.Storage, error) {
 	}

 	return &storage.Storage{
-		Auth:     auth,
-		Users:    users,
-		Share:    share,
-		Settings: settings,
+		Auth:     authStore,
+		Users:    userStore,
+		Share:    shareStore,
+		Settings: settingsStore,
 	}, nil
 }
--- a/storage/bolt/config.go
+++ b/storage/bolt/config.go
@@ -2,6 +2,7 @@ package bolt

 import (
 	"github.com/asdine/storm"
+
 	"github.com/filebrowser/filebrowser/v2/settings"
 )

@@ -10,12 +11,12 @@ type settingsBackend struct {
 }

 func (s settingsBackend) Get() (*settings.Settings, error) {
-	settings := &settings.Settings{}
-	return settings, get(s.db, "settings", settings)
+	set := &settings.Settings{}
+	return set, get(s.db, "settings", set)
 }

-func (s settingsBackend) Save(settings *settings.Settings) error {
-	return save(s.db, "settings", settings)
+func (s settingsBackend) Save(set *settings.Settings) error {
+	return save(s.db, "settings", set)
 }

 func (s settingsBackend) GetServer() (*settings.Server, error) {
--- a/storage/bolt/importer/conf.go
+++ b/storage/bolt/importer/conf.go
@@ -7,14 +7,14 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/filebrowser/filebrowser/v2/auth"
-	"github.com/filebrowser/filebrowser/v2/users"
-
 	"github.com/asdine/storm"
-	"github.com/filebrowser/filebrowser/v2/settings"
-	"github.com/filebrowser/filebrowser/v2/storage"
 	toml "github.com/pelletier/go-toml"
 	yaml "gopkg.in/yaml.v2"
+
+	"github.com/filebrowser/filebrowser/v2/auth"
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/storage"
+	"github.com/filebrowser/filebrowser/v2/users"
 )

 type oldDefs struct {
--- a/storage/bolt/importer/importer.go
+++ b/storage/bolt/importer/importer.go
@@ -2,34 +2,35 @@ package importer

 import (
 	"github.com/asdine/storm"
+
 	"github.com/filebrowser/filebrowser/v2/storage/bolt"
 )

 // Import imports an old configuration to a newer database.
-func Import(oldDB, oldConf, newDB string) error {
-	old, err := storm.Open(oldDB)
+func Import(oldDBPath, oldConf, newDBPath string) error {
+	oldDB, err := storm.Open(oldDBPath)
 	if err != nil {
 		return err
 	}
-	defer old.Close()
+	defer oldDB.Close()

-	new, err := storm.Open(newDB)
+	newDB, err := storm.Open(newDBPath)
 	if err != nil {
 		return err
 	}
-	defer new.Close()
+	defer newDB.Close()

-	sto, err := bolt.NewStorage(new)
+	sto, err := bolt.NewStorage(newDB)
 	if err != nil {
 		return err
 	}

-	err = importUsers(old, sto)
+	err = importUsers(oldDB, sto)
 	if err != nil {
 		return err
 	}

-	err = importConf(old, oldConf, sto)
+	err = importConf(oldDB, oldConf, sto)
 	if err != nil {
 		return err
 	}
--- a/storage/bolt/importer/users.go
+++ b/storage/bolt/importer/users.go
@@ -5,10 +5,11 @@ import (
 	"fmt"

 	"github.com/asdine/storm"
+	bolt "go.etcd.io/bbolt"
+
 	"github.com/filebrowser/filebrowser/v2/rules"
 	"github.com/filebrowser/filebrowser/v2/storage"
 	"github.com/filebrowser/filebrowser/v2/users"
-	bolt "go.etcd.io/bbolt"
 )

 type oldUser struct {
@@ -29,7 +30,7 @@ type oldUser struct {
 }

 func readOldUsers(db *storm.DB) ([]*oldUser, error) {
-	users := []*oldUser{}
+	var oldUsers []*oldUser
 	err := db.Bolt.View(func(tx *bolt.Tx) error {
 		return tx.Bucket([]byte("User")).ForEach(func(k []byte, v []byte) error {
 			if len(v) > 0 && string(v)[0] == '{' {
@@ -40,14 +41,14 @@ func readOldUsers(db *storm.DB) ([]*oldUser, error) {
 					return err
 				}

-				users = append(users, user)
+				oldUsers = append(oldUsers, user)
 			}

 			return nil
 		})
 	})

-	return users, err
+	return oldUsers, err
 }

 func convertUsersToNew(old []*oldUser) ([]*users.User, error) {
--- a/storage/bolt/share.go
+++ b/storage/bolt/share.go
@@ -3,6 +3,7 @@ package bolt
 import (
 	"github.com/asdine/storm"
 	"github.com/asdine/storm/q"
+
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/share"
 )
@@ -46,5 +47,9 @@ func (s shareBackend) Save(l *share.Link) error {
 }

 func (s shareBackend) Delete(hash string) error {
-	return s.db.DeleteStruct(&share.Link{Hash: hash})
+	err := s.db.DeleteStruct(&share.Link{Hash: hash})
+	if err == storm.ErrNotFound {
+		return nil
+	}
+	return err
 }
--- a/storage/bolt/users.go
+++ b/storage/bolt/users.go
@@ -4,6 +4,7 @@ import (
 	"reflect"

 	"github.com/asdine/storm"
+
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/users"
 )
@@ -38,17 +39,17 @@ func (st usersBackend) GetBy(i interface{}) (user *users.User, err error) {
 }

 func (st usersBackend) Gets() ([]*users.User, error) {
-	users := []*users.User{}
-	err := st.db.All(&users)
+	var allUsers []*users.User
+	err := st.db.All(&allUsers)
 	if err == storm.ErrNotFound {
 		return nil, errors.ErrNotExist
 	}

 	if err != nil {
-		return users, err
+		return allUsers, err
 	}

-	return users, err
+	return allUsers, err
 }

 func (st usersBackend) Update(user *users.User, fields ...string) error {
--- a/storage/bolt/utils.go
+++ b/storage/bolt/utils.go
@@ -2,6 +2,7 @@ package bolt

 import (
 	"github.com/asdine/storm"
+
 	"github.com/filebrowser/filebrowser/v2/errors"
 )

--- a/storage/storage.go
+++ b/storage/storage.go
@@ -7,7 +7,7 @@ import (
 	"github.com/filebrowser/filebrowser/v2/users"
 )

-// Storage is a storage powered by a Backend whih makes the neccessary
+// Storage is a storage powered by a Backend which makes the necessary
 // verifications when fetching and saving data to ensure consistency.
 type Storage struct {
 	Users    *users.Storage
--- a/users/storage.go
+++ b/users/storage.go
@@ -40,7 +40,9 @@ func (s *Storage) Get(baseScope string, id interface{}) (user *User, err error)
 	if err != nil {
 		return
 	}
-	user.Clean(baseScope)
+	if err := user.Clean(baseScope); err != nil {
+		return nil, err
+	}
 	return
 }

@@ -52,7 +54,9 @@ func (s *Storage) Gets(baseScope string) ([]*User, error) {
 	}

 	for _, user := range users {
-		user.Clean(baseScope)
+		if err := user.Clean(baseScope); err != nil { //nolint:shadow
+			return nil, err
+		}
 	}

 	return users, err
--- a/users/users.go
+++ b/users/users.go
@@ -4,11 +4,11 @@ import (
 	"path/filepath"
 	"regexp"

-	"github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/spf13/afero"

+	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/files"
 	"github.com/filebrowser/filebrowser/v2/rules"
-	"github.com/spf13/afero"
 )

 // ViewMode describes a view mode.
@@ -52,6 +52,7 @@ var checkableFields = []string{

 // Clean cleans up a user and verifies if all its fields
 // are alright to be saved.
+//nolint:gocyclo
 func (u *User) Clean(baseScope string, fields ...string) error {
 	if len(fields) == 0 {
 		fields = checkableFields
Author	SHA1	Message	Date
Oleg Lobanov	6d899a6335	chore: version v2.1.2	2020-06-06 17:49:14 +02:00
Oleg Lobanov	28672c0114	fix(security): check user permission to rename files	2020-06-06 17:45:51 +02:00
Oleg Lobanov	b8300b7121	chore: add dist folder to gitignore	2020-06-02 10:50:14 +02:00
Oleg Lobanov	584ef4d4bd	chore: version v2.1.1	2020-06-01 02:53:15 +02:00
Oleg Lobanov	e8295a944a	fix(build): fix openbsd build bump golang.org/x deps: * golang.org/x/crypto * golang.org/x/net * golang.org/x/sys	2020-06-01 02:52:26 +02:00
Oleg Lobanov	f8f5698ad0	build(docker): add arm 5 docker image for raspberry pi	2020-06-01 02:14:11 +02:00
Oleg Lobanov	700f32718e	refactor: add more go linters (#970 )	2020-06-01 01:12:36 +02:00
Oleg Lobanov	54d92a2708	chore: bump go to 1.14.3 (#969 )	2020-05-31 23:17:32 +02:00
Oleg Lobanov	ba47e3b2fe	fix: fix static assets url generation (#965 )	2020-05-31 22:26:10 +02:00
Oleg Lobanov	6e5405eeed	Update README.md	2020-05-27 14:23:12 +02:00
Henrique Dias	45326e664f	Update README.md	2020-04-16 13:25:03 +01:00