2022-06-06 22:08:39 +08:00
|
|
|
package server
|
2022-06-25 20:38:02 +08:00
|
|
|
|
|
|
|
|
import (
|
2022-08-07 13:09:59 +08:00
|
|
|
"github.com/alist-org/alist/v3/cmd/flags"
|
2022-06-25 21:34:44 +08:00
|
|
|
"github.com/alist-org/alist/v3/internal/conf"
|
2022-07-01 16:53:01 +08:00
|
|
|
"github.com/alist-org/alist/v3/internal/message"
|
2025-03-01 18:34:33 +08:00
|
|
|
"github.com/alist-org/alist/v3/internal/sign"
|
2025-02-16 12:22:11 +08:00
|
|
|
"github.com/alist-org/alist/v3/internal/stream"
|
2023-02-18 19:03:07 +08:00
|
|
|
"github.com/alist-org/alist/v3/pkg/utils"
|
2022-06-26 19:10:14 +08:00
|
|
|
"github.com/alist-org/alist/v3/server/common"
|
2022-07-11 17:12:50 +08:00
|
|
|
"github.com/alist-org/alist/v3/server/handles"
|
2022-06-26 19:10:14 +08:00
|
|
|
"github.com/alist-org/alist/v3/server/middlewares"
|
2022-08-28 23:13:03 +08:00
|
|
|
"github.com/alist-org/alist/v3/server/static"
|
2022-06-25 20:38:02 +08:00
|
|
|
"github.com/gin-contrib/cors"
|
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
)
|
|
|
|
|
|
2023-02-18 19:03:07 +08:00
|
|
|
func Init(e *gin.Engine) {
|
|
|
|
|
if !utils.SliceContains([]string{"", "/"}, conf.URL.Path) {
|
|
|
|
|
e.GET("/", func(c *gin.Context) {
|
|
|
|
|
c.Redirect(302, conf.URL.Path)
|
|
|
|
|
})
|
|
|
|
|
}
|
2023-02-23 20:45:57 +08:00
|
|
|
Cors(e)
|
2023-02-18 19:03:07 +08:00
|
|
|
g := e.Group(conf.URL.Path)
|
2023-07-04 17:56:02 +08:00
|
|
|
if conf.Conf.Scheme.HttpPort != -1 && conf.Conf.Scheme.HttpsPort != -1 && conf.Conf.Scheme.ForceHttps {
|
2023-09-05 13:05:46 +08:00
|
|
|
e.Use(middlewares.ForceHttps)
|
2023-06-10 22:26:09 +08:00
|
|
|
}
|
2023-03-07 19:05:52 +08:00
|
|
|
g.Any("/ping", func(c *gin.Context) {
|
|
|
|
|
c.String(200, "pong")
|
|
|
|
|
})
|
2023-05-12 16:50:48 +08:00
|
|
|
g.GET("/favicon.ico", handles.Favicon)
|
|
|
|
|
g.GET("/robots.txt", handles.Robots)
|
|
|
|
|
g.GET("/i/:link_name", handles.Plist)
|
2022-06-25 21:34:44 +08:00
|
|
|
common.SecretKey = []byte(conf.Conf.JwtSecret)
|
2023-02-18 19:03:07 +08:00
|
|
|
g.Use(middlewares.StoragesLoaded)
|
2022-12-14 10:33:58 +08:00
|
|
|
if conf.Conf.MaxConnections > 0 {
|
2023-02-18 19:03:07 +08:00
|
|
|
g.Use(middlewares.MaxAllowed(conf.Conf.MaxConnections))
|
2022-12-14 10:33:58 +08:00
|
|
|
}
|
2023-02-18 19:03:07 +08:00
|
|
|
WebDav(g.Group("/dav"))
|
2024-03-02 15:35:10 +08:00
|
|
|
S3(g.Group("/s3"))
|
2022-06-25 21:34:44 +08:00
|
|
|
|
2025-02-16 12:22:11 +08:00
|
|
|
downloadLimiter := middlewares.DownloadRateLimiter(stream.ClientDownloadLimit)
|
2025-03-01 18:34:33 +08:00
|
|
|
signCheck := middlewares.Down(sign.Verify)
|
|
|
|
|
g.GET("/d/*path", signCheck, downloadLimiter, handles.Down)
|
|
|
|
|
g.GET("/p/*path", signCheck, downloadLimiter, handles.Proxy)
|
|
|
|
|
g.HEAD("/d/*path", signCheck, handles.Down)
|
|
|
|
|
g.HEAD("/p/*path", signCheck, handles.Proxy)
|
|
|
|
|
archiveSignCheck := middlewares.Down(sign.VerifyArchive)
|
|
|
|
|
g.GET("/ad/*path", archiveSignCheck, downloadLimiter, handles.ArchiveDown)
|
|
|
|
|
g.GET("/ap/*path", archiveSignCheck, downloadLimiter, handles.ArchiveProxy)
|
|
|
|
|
g.GET("/ae/*path", archiveSignCheck, downloadLimiter, handles.ArchiveInternalExtract)
|
|
|
|
|
g.HEAD("/ad/*path", archiveSignCheck, handles.ArchiveDown)
|
|
|
|
|
g.HEAD("/ap/*path", archiveSignCheck, handles.ArchiveProxy)
|
|
|
|
|
g.HEAD("/ae/*path", archiveSignCheck, handles.ArchiveInternalExtract)
|
2022-06-28 18:00:11 +08:00
|
|
|
|
2023-02-18 19:03:07 +08:00
|
|
|
api := g.Group("/api")
|
2022-07-23 20:42:12 +08:00
|
|
|
auth := api.Group("", middlewares.Auth)
|
2023-08-14 22:54:38 +08:00
|
|
|
webauthn := api.Group("/authn", middlewares.Authn)
|
2022-07-07 14:19:24 +08:00
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
api.POST("/auth/login", handles.Login)
|
2023-08-06 22:09:17 +08:00
|
|
|
api.POST("/auth/login/hash", handles.LoginHash)
|
2023-12-31 13:46:13 +08:00
|
|
|
api.POST("/auth/login/ldap", handles.LoginLdap)
|
2022-07-23 20:49:16 +08:00
|
|
|
auth.GET("/me", handles.CurrentUser)
|
|
|
|
|
auth.POST("/me/update", handles.UpdateCurrent)
|
2024-12-25 21:15:06 +08:00
|
|
|
auth.GET("/me/sshkey/list", handles.ListMyPublicKey)
|
|
|
|
|
auth.POST("/me/sshkey/add", handles.AddMyPublicKey)
|
|
|
|
|
auth.POST("/me/sshkey/delete", handles.DeleteMyPublicKey)
|
2022-08-06 01:22:13 +08:00
|
|
|
auth.POST("/auth/2fa/generate", handles.Generate2FA)
|
|
|
|
|
auth.POST("/auth/2fa/verify", handles.Verify2FA)
|
2024-08-04 12:32:39 +08:00
|
|
|
auth.GET("/auth/logout", handles.LogOut)
|
2023-02-09 20:08:50 +08:00
|
|
|
|
2023-08-14 22:54:38 +08:00
|
|
|
// auth
|
2023-03-02 17:55:33 +08:00
|
|
|
api.GET("/auth/sso", handles.SSOLoginRedirect)
|
|
|
|
|
api.GET("/auth/sso_callback", handles.SSOLoginCallback)
|
2023-09-22 16:45:51 +08:00
|
|
|
api.GET("/auth/get_sso_id", handles.SSOLoginCallback)
|
|
|
|
|
api.GET("/auth/sso_get_token", handles.SSOLoginCallback)
|
2022-06-26 19:09:28 +08:00
|
|
|
|
2024-09-28 23:15:58 +08:00
|
|
|
// webauthn
|
2025-04-27 19:58:09 +08:00
|
|
|
api.GET("/authn/webauthn_begin_login", handles.BeginAuthnLogin)
|
|
|
|
|
api.POST("/authn/webauthn_finish_login", handles.FinishAuthnLogin)
|
2023-08-14 22:54:38 +08:00
|
|
|
webauthn.GET("/webauthn_begin_registration", handles.BeginAuthnRegistration)
|
|
|
|
|
webauthn.POST("/webauthn_finish_registration", handles.FinishAuthnRegistration)
|
|
|
|
|
webauthn.POST("/delete_authn", handles.DeleteAuthnLogin)
|
|
|
|
|
webauthn.GET("/getcredentials", handles.GetAuthnCredentials)
|
|
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
// no need auth
|
|
|
|
|
public := api.Group("/public")
|
|
|
|
|
public.Any("/settings", handles.PublicSettings)
|
2023-11-06 16:56:55 +08:00
|
|
|
public.Any("/offline_download_tools", handles.OfflineDownloadTools)
|
2025-01-18 23:28:12 +08:00
|
|
|
public.Any("/archive_extensions", handles.ArchiveExtensions)
|
2022-07-23 20:42:12 +08:00
|
|
|
|
2022-08-28 23:13:03 +08:00
|
|
|
_fs(auth.Group("/fs"))
|
2024-11-01 23:32:26 +08:00
|
|
|
_task(auth.Group("/task", middlewares.AuthNotGuest))
|
2025-08-15 08:09:00 -07:00
|
|
|
_label(auth.Group("/label"))
|
|
|
|
|
_labelFileBinding(auth.Group("/label_file_binding"))
|
2022-07-23 20:42:12 +08:00
|
|
|
admin(auth.Group("/admin", middlewares.AuthAdmin))
|
2023-09-07 14:56:50 +08:00
|
|
|
if flags.Debug || flags.Dev {
|
|
|
|
|
debug(g.Group("/debug"))
|
2022-08-02 22:16:58 +08:00
|
|
|
}
|
2023-02-18 19:03:07 +08:00
|
|
|
static.Static(g, func(handlers ...gin.HandlerFunc) {
|
|
|
|
|
e.NoRoute(handlers...)
|
|
|
|
|
})
|
2022-07-23 20:42:12 +08:00
|
|
|
}
|
2022-06-26 19:09:28 +08:00
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
func admin(g *gin.RouterGroup) {
|
|
|
|
|
meta := g.Group("/meta")
|
2022-07-11 17:12:50 +08:00
|
|
|
meta.GET("/list", handles.ListMetas)
|
2022-07-27 17:41:25 +08:00
|
|
|
meta.GET("/get", handles.GetMeta)
|
2022-07-11 17:12:50 +08:00
|
|
|
meta.POST("/create", handles.CreateMeta)
|
|
|
|
|
meta.POST("/update", handles.UpdateMeta)
|
|
|
|
|
meta.POST("/delete", handles.DeleteMeta)
|
2022-06-26 19:36:27 +08:00
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
user := g.Group("/user")
|
2022-07-11 17:12:50 +08:00
|
|
|
user.GET("/list", handles.ListUsers)
|
2022-07-27 17:41:25 +08:00
|
|
|
user.GET("/get", handles.GetUser)
|
2022-07-11 17:12:50 +08:00
|
|
|
user.POST("/create", handles.CreateUser)
|
|
|
|
|
user.POST("/update", handles.UpdateUser)
|
2022-08-07 11:59:33 +08:00
|
|
|
user.POST("/cancel_2fa", handles.Cancel2FAById)
|
2022-07-11 17:12:50 +08:00
|
|
|
user.POST("/delete", handles.DeleteUser)
|
2023-08-06 20:47:58 +08:00
|
|
|
user.POST("/del_cache", handles.DelUserCache)
|
2024-12-25 21:15:06 +08:00
|
|
|
user.GET("/sshkey/list", handles.ListPublicKeys)
|
|
|
|
|
user.POST("/sshkey/delete", handles.DeletePublicKey)
|
2022-06-26 20:00:36 +08:00
|
|
|
|
feat: enhance permission control and label management (#9215)
* 标签管理
* pr检查优化
* feat(role): Implement role management functionality
- Add role management routes in `server/router.go` for listing, getting, creating, updating, and deleting roles
- Introduce `initRoles()` in `internal/bootstrap/data/data.go` for initializing roles during bootstrap
- Create `internal/op/role.go` to handle role operations including caching and singleflight
- Implement role handler functions in `server/handles/role.go` for API responses
- Define database operations for roles in `internal/db/role.go`
- Extend `internal/db/db.go` for role model auto-migration
- Design `internal/model/role.go` to represent role structure with ID, name, description, base path, and permissions
- Initialize default roles (`admin` and `guest`) in `internal/bootstrap/data/role.go` during startup
* refactor(user roles): Support multiple roles for users
- Change the `Role` field type from `int` to `[]int` in `drivers/alist_v3/types.go` and `drivers/quqi/types.go`.
- Update the `Role` field in `internal/model/user.go` to use a new `Roles` type with JSON and database support.
- Modify `IsGuest` and `IsAdmin` methods to check for roles using `Contains` method.
- Update `GetUserByRole` method in `internal/db/user.go` to handle multiple roles.
- Add `roles.go` to define a new `Roles` type with JSON marshalling and scanning capabilities.
- Adjust code in `server/handles/user.go` to compare roles with `utils.SliceEqual`.
- Change role initialization for users in `internal/bootstrap/data/dev.go` and `internal/bootstrap/data/user.go`.
- Update `Role` handling in `server/handles/task.go`, `server/handles/ssologin.go`, and `server/handles/ldap_login.go`.
* feat(user/role): Add path limit check for user and role permissions
- Add new permission bit for checking path limits in `user.go`
- Implement `CheckPathLimit` method in `User` struct to validate path access
- Modify `JoinPath` method in `User` to enforce path limit checks
- Update `role.go` to include path limit logic in `Role` struct
- Document new permission bit in `Role` and `User` comments for clarity
* feat(permission): Add role-based permission handling
- Introduce `role_perm.go` for managing user permissions based on roles.
- Implement `HasPermission` and `MergeRolePermissions` functions.
- Update `webdav.go` to utilize role-based permissions instead of direct user checks.
- Modify `fsup.go` to integrate `CanAccessWithRoles` function.
- Refactor `fsread.go` to use `common.HasPermission` for permission validation.
- Adjust `fsmanage.go` for role-based access control checks.
- Enhance `ftp.go` and `sftp.go` to manage FTP access via roles.
- Update `fsbatch.go` to employ `MergeRolePermissions` for batch operations.
- Replace direct user permission checks with role-based permission handling across various modules.
* refactor(user): Replace integer role values with role IDs
- Change `GetAdmin()` and `GetGuest()` functions to retrieve role by name and use role ID.
- Add patch for version `v3.45.2` to convert legacy integer roles to role IDs.
- Update `dev.go` and `user.go` to use role IDs instead of integer values for roles.
- Remove redundant code in `role.go` related to guest role creation.
- Modify `ssologin.go` and `ldap_login.go` to set user roles to nil instead of using integer roles.
- Introduce `convert_roles.go` to handle conversion of legacy roles and ensure role existence in the database.
* feat(role_perm): implement support for multiple base paths for roles
- Modify role permission checks to support multiple base paths
- Update role creation and update functions to handle multiple base paths
- Add migration script to convert old base_path to base_paths
- Define new Paths type for handling multiple paths in the model
- Adjust role model to replace BasePath with BasePaths
- Update existing patches to handle roles with multiple base paths
- Update bootstrap data to reflect the new base_paths field
* feat(role): Restrict modifications to default roles (admin and guest)
- Add validation to prevent changes to "admin" and "guest" roles in `UpdateRole` and `DeleteRole` functions.
- Introduce `ErrChangeDefaultRole` error in `internal/errs/role.go` to standardize error messaging.
- Update role-related API handlers in `server/handles/role.go` to enforce the new restriction.
- Enhance comments in `internal/bootstrap/data/role.go` to clarify the significance of default roles.
- Ensure consistent error responses for unauthorized role modifications across the application.
* 🔄 **refactor(role): Enhance role permission handling**
- Replaced `BasePaths` with `PermissionPaths` in `Role` struct for better permission granularity.
- Introduced JSON serialization for `PermissionPaths` using `RawPermission` field in `Role` struct.
- Implemented `BeforeSave` and `AfterFind` GORM hooks for handling `PermissionPaths` serialization.
- Refactored permission calculation logic in `role_perm.go` to work with `PermissionPaths`.
- Updated role creation logic to initialize `PermissionPaths` for `admin` and `guest` roles.
- Removed deprecated `CheckPathLimit` method from `Role` struct.
* fix(model/user/role): update permission settings for admin and role
- Change `RawPermission` field in `role.go` to hide JSON representation
- Update `Permission` field in `user.go` to `0xFFFF` for full access
- Modify `PermissionScopes` in `role.go` to `0xFFFF` for enhanced permissions
* 🔒 feat(role-permissions): Enhance role-based access control
- Introduce `canReadPathByRole` function in `role_perm.go` to verify path access based on user roles
- Modify `CanAccessWithRoles` to include role-based path read check
- Add `RoleNames` and `Permissions` to `UserResp` struct in `auth.go` for enhanced user role and permission details
- Implement role details aggregation in `auth.go` to populate `RoleNames` and `Permissions`
- Update `User` struct in `user.go` to include `RolesDetail` for more detailed role information
- Enhance middleware in `auth.go` to load and verify detailed role information for users
- Move `guest` user initialization logic in `user.go` to improve code organization and avoid repetition
* 🔒 fix(permissions): Add permission checks for archive operations
- Add `MergeRolePermissions` and `HasPermission` checks to validate user access for reading archives
- Ensure users have `PermReadArchives` before proceeding with `GetNearestMeta` in specific archive paths
- Implement permission checks for decompress operations, requiring `PermDecompress` for source paths
- Return `PermissionDenied` errors with 403 status if user lacks necessary permissions
* 🔒 fix(server): Add permission check for offline download
- Add permission merging logic for user roles
- Check user has permission for offline download addition
- Return error response with "permission denied" if check fails
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ♻️ refactor(access-control): Update access control logic to use role-based checks
- Remove deprecated logic from `CanAccess` function in `check.go`, replacing it with `CanAccessWithRoles` for improved role-based access control.
- Modify calls in `search.go` to use `CanAccessWithRoles` for more precise handling of permissions.
- Update `fsread.go` to utilize `CanAccessWithRoles`, ensuring accurate access validation based on user roles.
- Simplify import statements in `check.go` by removing unused packages to clean up the codebase.
* ✨ feat(fs): Improve visibility logic for hidden files
- Import `server/common` package to handle permissions more robustly
- Update `whetherHide` function to use `MergeRolePermissions` for user-specific path permissions
- Replace direct user checks with `HasPermission` for `PermSeeHides`
- Enhance logic to ensure `nil` user cases are handled explicitly
* 标签管理
* feat(db/auth/user): Enhance role handling and clean permission paths
- Comment out role modification checks in `server/handles/user.go` to allow flexible role changes.
- Improve permission path handling in `server/handles/auth.go` by normalizing and deduplicating paths.
- Introduce `addedPaths` map in `CurrentUser` to prevent duplicate permissions.
* feat(storage/db): Implement role permissions path prefix update
- Add `UpdateRolePermissionsPathPrefix` function in `role.go` to update role permissions paths.
- Modify `storage.go` to call the new function when the mount path is renamed.
- Introduce path cleaning and prefix matching logic for accurate path updates.
- Ensure roles are updated only if their permission scopes are modified.
- Handle potential errors with informative messages during database operations.
* feat(role-migration): Implement role conversion and introduce NEWGENERAL role
- Add `NEWGENERAL` to the roles enumeration in `user.go`
- Create new file `convert_role.go` for migrating legacy roles to new model
- Implement `ConvertLegacyRoles` function to handle role conversion with permission scopes
- Add `convert_role.go` patch to `all.go` under version `v3.46.0`
* feat(role/auth): Add role retrieval by user ID and update path prefixes
- Add `GetRolesByUserID` function for efficient role retrieval by user ID
- Implement `UpdateUserBasePathPrefix` to update user base paths
- Modify `UpdateRolePermissionsPathPrefix` to return modified role IDs
- Update `auth.go` middleware to use the new role retrieval function
- Refresh role and user caches upon path prefix updates to maintain consistency
---------
Co-authored-by: Leslie-Xy <540049476@qq.com>
2025-07-26 09:51:59 +08:00
|
|
|
role := g.Group("/role")
|
|
|
|
|
role.GET("/list", handles.ListRoles)
|
|
|
|
|
role.GET("/get", handles.GetRole)
|
|
|
|
|
role.POST("/create", handles.CreateRole)
|
|
|
|
|
role.POST("/update", handles.UpdateRole)
|
|
|
|
|
role.POST("/delete", handles.DeleteRole)
|
|
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
storage := g.Group("/storage")
|
2022-07-11 17:12:50 +08:00
|
|
|
storage.GET("/list", handles.ListStorages)
|
2022-07-18 23:02:14 +08:00
|
|
|
storage.GET("/get", handles.GetStorage)
|
2022-07-11 17:12:50 +08:00
|
|
|
storage.POST("/create", handles.CreateStorage)
|
|
|
|
|
storage.POST("/update", handles.UpdateStorage)
|
|
|
|
|
storage.POST("/delete", handles.DeleteStorage)
|
2022-08-11 21:08:50 +08:00
|
|
|
storage.POST("/enable", handles.EnableStorage)
|
|
|
|
|
storage.POST("/disable", handles.DisableStorage)
|
2022-12-21 19:21:18 +08:00
|
|
|
storage.POST("/load_all", handles.LoadAllStorages)
|
2022-06-26 20:25:02 +08:00
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
driver := g.Group("/driver")
|
2022-08-30 14:39:10 +08:00
|
|
|
driver.GET("/list", handles.ListDriverInfo)
|
2022-07-11 17:12:50 +08:00
|
|
|
driver.GET("/names", handles.ListDriverNames)
|
2022-08-30 14:39:10 +08:00
|
|
|
driver.GET("/info", handles.GetDriverInfo)
|
2022-06-27 17:06:10 +08:00
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
setting := g.Group("/setting")
|
2022-07-11 17:12:50 +08:00
|
|
|
setting.GET("/get", handles.GetSetting)
|
|
|
|
|
setting.GET("/list", handles.ListSettings)
|
|
|
|
|
setting.POST("/save", handles.SaveSettings)
|
|
|
|
|
setting.POST("/delete", handles.DeleteSetting)
|
|
|
|
|
setting.POST("/reset_token", handles.ResetToken)
|
|
|
|
|
setting.POST("/set_aria2", handles.SetAria2)
|
2023-02-15 16:24:03 +08:00
|
|
|
setting.POST("/set_qbit", handles.SetQbittorrent)
|
2024-09-28 23:15:58 +08:00
|
|
|
setting.POST("/set_transmission", handles.SetTransmission)
|
2025-01-10 21:24:44 +08:00
|
|
|
setting.POST("/set_115", handles.Set115)
|
|
|
|
|
setting.POST("/set_pikpak", handles.SetPikPak)
|
|
|
|
|
setting.POST("/set_thunder", handles.SetThunder)
|
2022-06-27 17:06:10 +08:00
|
|
|
|
2024-11-01 23:32:26 +08:00
|
|
|
// retain /admin/task API to ensure compatibility with legacy automation scripts
|
|
|
|
|
_task(g.Group("/task"))
|
2022-06-29 18:36:14 +08:00
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
ms := g.Group("/message")
|
2022-08-14 03:05:30 +08:00
|
|
|
ms.POST("/get", message.HttpInstance.GetHandle)
|
|
|
|
|
ms.POST("/send", message.HttpInstance.SendHandle)
|
2022-11-24 11:46:47 +08:00
|
|
|
|
|
|
|
|
index := g.Group("/index")
|
2022-11-28 13:45:25 +08:00
|
|
|
index.POST("/build", middlewares.SearchIndex, handles.BuildIndex)
|
2022-12-24 20:23:04 +08:00
|
|
|
index.POST("/update", middlewares.SearchIndex, handles.UpdateIndex)
|
2022-12-05 13:28:39 +08:00
|
|
|
index.POST("/stop", middlewares.SearchIndex, handles.StopIndex)
|
2022-12-09 10:02:13 +08:00
|
|
|
index.POST("/clear", middlewares.SearchIndex, handles.ClearIndex)
|
2022-11-28 13:45:25 +08:00
|
|
|
index.GET("/progress", middlewares.SearchIndex, handles.GetProgress)
|
feat: enhance permission control and label management (#9215)
* 标签管理
* pr检查优化
* feat(role): Implement role management functionality
- Add role management routes in `server/router.go` for listing, getting, creating, updating, and deleting roles
- Introduce `initRoles()` in `internal/bootstrap/data/data.go` for initializing roles during bootstrap
- Create `internal/op/role.go` to handle role operations including caching and singleflight
- Implement role handler functions in `server/handles/role.go` for API responses
- Define database operations for roles in `internal/db/role.go`
- Extend `internal/db/db.go` for role model auto-migration
- Design `internal/model/role.go` to represent role structure with ID, name, description, base path, and permissions
- Initialize default roles (`admin` and `guest`) in `internal/bootstrap/data/role.go` during startup
* refactor(user roles): Support multiple roles for users
- Change the `Role` field type from `int` to `[]int` in `drivers/alist_v3/types.go` and `drivers/quqi/types.go`.
- Update the `Role` field in `internal/model/user.go` to use a new `Roles` type with JSON and database support.
- Modify `IsGuest` and `IsAdmin` methods to check for roles using `Contains` method.
- Update `GetUserByRole` method in `internal/db/user.go` to handle multiple roles.
- Add `roles.go` to define a new `Roles` type with JSON marshalling and scanning capabilities.
- Adjust code in `server/handles/user.go` to compare roles with `utils.SliceEqual`.
- Change role initialization for users in `internal/bootstrap/data/dev.go` and `internal/bootstrap/data/user.go`.
- Update `Role` handling in `server/handles/task.go`, `server/handles/ssologin.go`, and `server/handles/ldap_login.go`.
* feat(user/role): Add path limit check for user and role permissions
- Add new permission bit for checking path limits in `user.go`
- Implement `CheckPathLimit` method in `User` struct to validate path access
- Modify `JoinPath` method in `User` to enforce path limit checks
- Update `role.go` to include path limit logic in `Role` struct
- Document new permission bit in `Role` and `User` comments for clarity
* feat(permission): Add role-based permission handling
- Introduce `role_perm.go` for managing user permissions based on roles.
- Implement `HasPermission` and `MergeRolePermissions` functions.
- Update `webdav.go` to utilize role-based permissions instead of direct user checks.
- Modify `fsup.go` to integrate `CanAccessWithRoles` function.
- Refactor `fsread.go` to use `common.HasPermission` for permission validation.
- Adjust `fsmanage.go` for role-based access control checks.
- Enhance `ftp.go` and `sftp.go` to manage FTP access via roles.
- Update `fsbatch.go` to employ `MergeRolePermissions` for batch operations.
- Replace direct user permission checks with role-based permission handling across various modules.
* refactor(user): Replace integer role values with role IDs
- Change `GetAdmin()` and `GetGuest()` functions to retrieve role by name and use role ID.
- Add patch for version `v3.45.2` to convert legacy integer roles to role IDs.
- Update `dev.go` and `user.go` to use role IDs instead of integer values for roles.
- Remove redundant code in `role.go` related to guest role creation.
- Modify `ssologin.go` and `ldap_login.go` to set user roles to nil instead of using integer roles.
- Introduce `convert_roles.go` to handle conversion of legacy roles and ensure role existence in the database.
* feat(role_perm): implement support for multiple base paths for roles
- Modify role permission checks to support multiple base paths
- Update role creation and update functions to handle multiple base paths
- Add migration script to convert old base_path to base_paths
- Define new Paths type for handling multiple paths in the model
- Adjust role model to replace BasePath with BasePaths
- Update existing patches to handle roles with multiple base paths
- Update bootstrap data to reflect the new base_paths field
* feat(role): Restrict modifications to default roles (admin and guest)
- Add validation to prevent changes to "admin" and "guest" roles in `UpdateRole` and `DeleteRole` functions.
- Introduce `ErrChangeDefaultRole` error in `internal/errs/role.go` to standardize error messaging.
- Update role-related API handlers in `server/handles/role.go` to enforce the new restriction.
- Enhance comments in `internal/bootstrap/data/role.go` to clarify the significance of default roles.
- Ensure consistent error responses for unauthorized role modifications across the application.
* 🔄 **refactor(role): Enhance role permission handling**
- Replaced `BasePaths` with `PermissionPaths` in `Role` struct for better permission granularity.
- Introduced JSON serialization for `PermissionPaths` using `RawPermission` field in `Role` struct.
- Implemented `BeforeSave` and `AfterFind` GORM hooks for handling `PermissionPaths` serialization.
- Refactored permission calculation logic in `role_perm.go` to work with `PermissionPaths`.
- Updated role creation logic to initialize `PermissionPaths` for `admin` and `guest` roles.
- Removed deprecated `CheckPathLimit` method from `Role` struct.
* fix(model/user/role): update permission settings for admin and role
- Change `RawPermission` field in `role.go` to hide JSON representation
- Update `Permission` field in `user.go` to `0xFFFF` for full access
- Modify `PermissionScopes` in `role.go` to `0xFFFF` for enhanced permissions
* 🔒 feat(role-permissions): Enhance role-based access control
- Introduce `canReadPathByRole` function in `role_perm.go` to verify path access based on user roles
- Modify `CanAccessWithRoles` to include role-based path read check
- Add `RoleNames` and `Permissions` to `UserResp` struct in `auth.go` for enhanced user role and permission details
- Implement role details aggregation in `auth.go` to populate `RoleNames` and `Permissions`
- Update `User` struct in `user.go` to include `RolesDetail` for more detailed role information
- Enhance middleware in `auth.go` to load and verify detailed role information for users
- Move `guest` user initialization logic in `user.go` to improve code organization and avoid repetition
* 🔒 fix(permissions): Add permission checks for archive operations
- Add `MergeRolePermissions` and `HasPermission` checks to validate user access for reading archives
- Ensure users have `PermReadArchives` before proceeding with `GetNearestMeta` in specific archive paths
- Implement permission checks for decompress operations, requiring `PermDecompress` for source paths
- Return `PermissionDenied` errors with 403 status if user lacks necessary permissions
* 🔒 fix(server): Add permission check for offline download
- Add permission merging logic for user roles
- Check user has permission for offline download addition
- Return error response with "permission denied" if check fails
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ♻️ refactor(access-control): Update access control logic to use role-based checks
- Remove deprecated logic from `CanAccess` function in `check.go`, replacing it with `CanAccessWithRoles` for improved role-based access control.
- Modify calls in `search.go` to use `CanAccessWithRoles` for more precise handling of permissions.
- Update `fsread.go` to utilize `CanAccessWithRoles`, ensuring accurate access validation based on user roles.
- Simplify import statements in `check.go` by removing unused packages to clean up the codebase.
* ✨ feat(fs): Improve visibility logic for hidden files
- Import `server/common` package to handle permissions more robustly
- Update `whetherHide` function to use `MergeRolePermissions` for user-specific path permissions
- Replace direct user checks with `HasPermission` for `PermSeeHides`
- Enhance logic to ensure `nil` user cases are handled explicitly
* 标签管理
* feat(db/auth/user): Enhance role handling and clean permission paths
- Comment out role modification checks in `server/handles/user.go` to allow flexible role changes.
- Improve permission path handling in `server/handles/auth.go` by normalizing and deduplicating paths.
- Introduce `addedPaths` map in `CurrentUser` to prevent duplicate permissions.
* feat(storage/db): Implement role permissions path prefix update
- Add `UpdateRolePermissionsPathPrefix` function in `role.go` to update role permissions paths.
- Modify `storage.go` to call the new function when the mount path is renamed.
- Introduce path cleaning and prefix matching logic for accurate path updates.
- Ensure roles are updated only if their permission scopes are modified.
- Handle potential errors with informative messages during database operations.
* feat(role-migration): Implement role conversion and introduce NEWGENERAL role
- Add `NEWGENERAL` to the roles enumeration in `user.go`
- Create new file `convert_role.go` for migrating legacy roles to new model
- Implement `ConvertLegacyRoles` function to handle role conversion with permission scopes
- Add `convert_role.go` patch to `all.go` under version `v3.46.0`
* feat(role/auth): Add role retrieval by user ID and update path prefixes
- Add `GetRolesByUserID` function for efficient role retrieval by user ID
- Implement `UpdateUserBasePathPrefix` to update user base paths
- Modify `UpdateRolePermissionsPathPrefix` to return modified role IDs
- Update `auth.go` middleware to use the new role retrieval function
- Refresh role and user caches upon path prefix updates to maintain consistency
---------
Co-authored-by: Leslie-Xy <540049476@qq.com>
2025-07-26 09:51:59 +08:00
|
|
|
|
|
|
|
|
label := g.Group("/label")
|
|
|
|
|
label.POST("/create", handles.CreateLabel)
|
|
|
|
|
label.POST("/update", handles.UpdateLabel)
|
|
|
|
|
label.POST("/delete", handles.DeleteLabel)
|
|
|
|
|
|
|
|
|
|
labelFileBinding := g.Group("/label_file_binding")
|
2025-08-15 08:09:00 -07:00
|
|
|
labelFileBinding.GET("/list", handles.ListLabelFileBinding)
|
feat: enhance permission control and label management (#9215)
* 标签管理
* pr检查优化
* feat(role): Implement role management functionality
- Add role management routes in `server/router.go` for listing, getting, creating, updating, and deleting roles
- Introduce `initRoles()` in `internal/bootstrap/data/data.go` for initializing roles during bootstrap
- Create `internal/op/role.go` to handle role operations including caching and singleflight
- Implement role handler functions in `server/handles/role.go` for API responses
- Define database operations for roles in `internal/db/role.go`
- Extend `internal/db/db.go` for role model auto-migration
- Design `internal/model/role.go` to represent role structure with ID, name, description, base path, and permissions
- Initialize default roles (`admin` and `guest`) in `internal/bootstrap/data/role.go` during startup
* refactor(user roles): Support multiple roles for users
- Change the `Role` field type from `int` to `[]int` in `drivers/alist_v3/types.go` and `drivers/quqi/types.go`.
- Update the `Role` field in `internal/model/user.go` to use a new `Roles` type with JSON and database support.
- Modify `IsGuest` and `IsAdmin` methods to check for roles using `Contains` method.
- Update `GetUserByRole` method in `internal/db/user.go` to handle multiple roles.
- Add `roles.go` to define a new `Roles` type with JSON marshalling and scanning capabilities.
- Adjust code in `server/handles/user.go` to compare roles with `utils.SliceEqual`.
- Change role initialization for users in `internal/bootstrap/data/dev.go` and `internal/bootstrap/data/user.go`.
- Update `Role` handling in `server/handles/task.go`, `server/handles/ssologin.go`, and `server/handles/ldap_login.go`.
* feat(user/role): Add path limit check for user and role permissions
- Add new permission bit for checking path limits in `user.go`
- Implement `CheckPathLimit` method in `User` struct to validate path access
- Modify `JoinPath` method in `User` to enforce path limit checks
- Update `role.go` to include path limit logic in `Role` struct
- Document new permission bit in `Role` and `User` comments for clarity
* feat(permission): Add role-based permission handling
- Introduce `role_perm.go` for managing user permissions based on roles.
- Implement `HasPermission` and `MergeRolePermissions` functions.
- Update `webdav.go` to utilize role-based permissions instead of direct user checks.
- Modify `fsup.go` to integrate `CanAccessWithRoles` function.
- Refactor `fsread.go` to use `common.HasPermission` for permission validation.
- Adjust `fsmanage.go` for role-based access control checks.
- Enhance `ftp.go` and `sftp.go` to manage FTP access via roles.
- Update `fsbatch.go` to employ `MergeRolePermissions` for batch operations.
- Replace direct user permission checks with role-based permission handling across various modules.
* refactor(user): Replace integer role values with role IDs
- Change `GetAdmin()` and `GetGuest()` functions to retrieve role by name and use role ID.
- Add patch for version `v3.45.2` to convert legacy integer roles to role IDs.
- Update `dev.go` and `user.go` to use role IDs instead of integer values for roles.
- Remove redundant code in `role.go` related to guest role creation.
- Modify `ssologin.go` and `ldap_login.go` to set user roles to nil instead of using integer roles.
- Introduce `convert_roles.go` to handle conversion of legacy roles and ensure role existence in the database.
* feat(role_perm): implement support for multiple base paths for roles
- Modify role permission checks to support multiple base paths
- Update role creation and update functions to handle multiple base paths
- Add migration script to convert old base_path to base_paths
- Define new Paths type for handling multiple paths in the model
- Adjust role model to replace BasePath with BasePaths
- Update existing patches to handle roles with multiple base paths
- Update bootstrap data to reflect the new base_paths field
* feat(role): Restrict modifications to default roles (admin and guest)
- Add validation to prevent changes to "admin" and "guest" roles in `UpdateRole` and `DeleteRole` functions.
- Introduce `ErrChangeDefaultRole` error in `internal/errs/role.go` to standardize error messaging.
- Update role-related API handlers in `server/handles/role.go` to enforce the new restriction.
- Enhance comments in `internal/bootstrap/data/role.go` to clarify the significance of default roles.
- Ensure consistent error responses for unauthorized role modifications across the application.
* 🔄 **refactor(role): Enhance role permission handling**
- Replaced `BasePaths` with `PermissionPaths` in `Role` struct for better permission granularity.
- Introduced JSON serialization for `PermissionPaths` using `RawPermission` field in `Role` struct.
- Implemented `BeforeSave` and `AfterFind` GORM hooks for handling `PermissionPaths` serialization.
- Refactored permission calculation logic in `role_perm.go` to work with `PermissionPaths`.
- Updated role creation logic to initialize `PermissionPaths` for `admin` and `guest` roles.
- Removed deprecated `CheckPathLimit` method from `Role` struct.
* fix(model/user/role): update permission settings for admin and role
- Change `RawPermission` field in `role.go` to hide JSON representation
- Update `Permission` field in `user.go` to `0xFFFF` for full access
- Modify `PermissionScopes` in `role.go` to `0xFFFF` for enhanced permissions
* 🔒 feat(role-permissions): Enhance role-based access control
- Introduce `canReadPathByRole` function in `role_perm.go` to verify path access based on user roles
- Modify `CanAccessWithRoles` to include role-based path read check
- Add `RoleNames` and `Permissions` to `UserResp` struct in `auth.go` for enhanced user role and permission details
- Implement role details aggregation in `auth.go` to populate `RoleNames` and `Permissions`
- Update `User` struct in `user.go` to include `RolesDetail` for more detailed role information
- Enhance middleware in `auth.go` to load and verify detailed role information for users
- Move `guest` user initialization logic in `user.go` to improve code organization and avoid repetition
* 🔒 fix(permissions): Add permission checks for archive operations
- Add `MergeRolePermissions` and `HasPermission` checks to validate user access for reading archives
- Ensure users have `PermReadArchives` before proceeding with `GetNearestMeta` in specific archive paths
- Implement permission checks for decompress operations, requiring `PermDecompress` for source paths
- Return `PermissionDenied` errors with 403 status if user lacks necessary permissions
* 🔒 fix(server): Add permission check for offline download
- Add permission merging logic for user roles
- Check user has permission for offline download addition
- Return error response with "permission denied" if check fails
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ♻️ refactor(access-control): Update access control logic to use role-based checks
- Remove deprecated logic from `CanAccess` function in `check.go`, replacing it with `CanAccessWithRoles` for improved role-based access control.
- Modify calls in `search.go` to use `CanAccessWithRoles` for more precise handling of permissions.
- Update `fsread.go` to utilize `CanAccessWithRoles`, ensuring accurate access validation based on user roles.
- Simplify import statements in `check.go` by removing unused packages to clean up the codebase.
* ✨ feat(fs): Improve visibility logic for hidden files
- Import `server/common` package to handle permissions more robustly
- Update `whetherHide` function to use `MergeRolePermissions` for user-specific path permissions
- Replace direct user checks with `HasPermission` for `PermSeeHides`
- Enhance logic to ensure `nil` user cases are handled explicitly
* 标签管理
* feat(db/auth/user): Enhance role handling and clean permission paths
- Comment out role modification checks in `server/handles/user.go` to allow flexible role changes.
- Improve permission path handling in `server/handles/auth.go` by normalizing and deduplicating paths.
- Introduce `addedPaths` map in `CurrentUser` to prevent duplicate permissions.
* feat(storage/db): Implement role permissions path prefix update
- Add `UpdateRolePermissionsPathPrefix` function in `role.go` to update role permissions paths.
- Modify `storage.go` to call the new function when the mount path is renamed.
- Introduce path cleaning and prefix matching logic for accurate path updates.
- Ensure roles are updated only if their permission scopes are modified.
- Handle potential errors with informative messages during database operations.
* feat(role-migration): Implement role conversion and introduce NEWGENERAL role
- Add `NEWGENERAL` to the roles enumeration in `user.go`
- Create new file `convert_role.go` for migrating legacy roles to new model
- Implement `ConvertLegacyRoles` function to handle role conversion with permission scopes
- Add `convert_role.go` patch to `all.go` under version `v3.46.0`
* feat(role/auth): Add role retrieval by user ID and update path prefixes
- Add `GetRolesByUserID` function for efficient role retrieval by user ID
- Implement `UpdateUserBasePathPrefix` to update user base paths
- Modify `UpdateRolePermissionsPathPrefix` to return modified role IDs
- Update `auth.go` middleware to use the new role retrieval function
- Refresh role and user caches upon path prefix updates to maintain consistency
---------
Co-authored-by: Leslie-Xy <540049476@qq.com>
2025-07-26 09:51:59 +08:00
|
|
|
labelFileBinding.POST("/create", handles.CreateLabelFileBinDing)
|
2025-08-15 08:09:00 -07:00
|
|
|
labelFileBinding.POST("/create_batch", handles.CreateLabelFileBinDingBatch)
|
feat: enhance permission control and label management (#9215)
* 标签管理
* pr检查优化
* feat(role): Implement role management functionality
- Add role management routes in `server/router.go` for listing, getting, creating, updating, and deleting roles
- Introduce `initRoles()` in `internal/bootstrap/data/data.go` for initializing roles during bootstrap
- Create `internal/op/role.go` to handle role operations including caching and singleflight
- Implement role handler functions in `server/handles/role.go` for API responses
- Define database operations for roles in `internal/db/role.go`
- Extend `internal/db/db.go` for role model auto-migration
- Design `internal/model/role.go` to represent role structure with ID, name, description, base path, and permissions
- Initialize default roles (`admin` and `guest`) in `internal/bootstrap/data/role.go` during startup
* refactor(user roles): Support multiple roles for users
- Change the `Role` field type from `int` to `[]int` in `drivers/alist_v3/types.go` and `drivers/quqi/types.go`.
- Update the `Role` field in `internal/model/user.go` to use a new `Roles` type with JSON and database support.
- Modify `IsGuest` and `IsAdmin` methods to check for roles using `Contains` method.
- Update `GetUserByRole` method in `internal/db/user.go` to handle multiple roles.
- Add `roles.go` to define a new `Roles` type with JSON marshalling and scanning capabilities.
- Adjust code in `server/handles/user.go` to compare roles with `utils.SliceEqual`.
- Change role initialization for users in `internal/bootstrap/data/dev.go` and `internal/bootstrap/data/user.go`.
- Update `Role` handling in `server/handles/task.go`, `server/handles/ssologin.go`, and `server/handles/ldap_login.go`.
* feat(user/role): Add path limit check for user and role permissions
- Add new permission bit for checking path limits in `user.go`
- Implement `CheckPathLimit` method in `User` struct to validate path access
- Modify `JoinPath` method in `User` to enforce path limit checks
- Update `role.go` to include path limit logic in `Role` struct
- Document new permission bit in `Role` and `User` comments for clarity
* feat(permission): Add role-based permission handling
- Introduce `role_perm.go` for managing user permissions based on roles.
- Implement `HasPermission` and `MergeRolePermissions` functions.
- Update `webdav.go` to utilize role-based permissions instead of direct user checks.
- Modify `fsup.go` to integrate `CanAccessWithRoles` function.
- Refactor `fsread.go` to use `common.HasPermission` for permission validation.
- Adjust `fsmanage.go` for role-based access control checks.
- Enhance `ftp.go` and `sftp.go` to manage FTP access via roles.
- Update `fsbatch.go` to employ `MergeRolePermissions` for batch operations.
- Replace direct user permission checks with role-based permission handling across various modules.
* refactor(user): Replace integer role values with role IDs
- Change `GetAdmin()` and `GetGuest()` functions to retrieve role by name and use role ID.
- Add patch for version `v3.45.2` to convert legacy integer roles to role IDs.
- Update `dev.go` and `user.go` to use role IDs instead of integer values for roles.
- Remove redundant code in `role.go` related to guest role creation.
- Modify `ssologin.go` and `ldap_login.go` to set user roles to nil instead of using integer roles.
- Introduce `convert_roles.go` to handle conversion of legacy roles and ensure role existence in the database.
* feat(role_perm): implement support for multiple base paths for roles
- Modify role permission checks to support multiple base paths
- Update role creation and update functions to handle multiple base paths
- Add migration script to convert old base_path to base_paths
- Define new Paths type for handling multiple paths in the model
- Adjust role model to replace BasePath with BasePaths
- Update existing patches to handle roles with multiple base paths
- Update bootstrap data to reflect the new base_paths field
* feat(role): Restrict modifications to default roles (admin and guest)
- Add validation to prevent changes to "admin" and "guest" roles in `UpdateRole` and `DeleteRole` functions.
- Introduce `ErrChangeDefaultRole` error in `internal/errs/role.go` to standardize error messaging.
- Update role-related API handlers in `server/handles/role.go` to enforce the new restriction.
- Enhance comments in `internal/bootstrap/data/role.go` to clarify the significance of default roles.
- Ensure consistent error responses for unauthorized role modifications across the application.
* 🔄 **refactor(role): Enhance role permission handling**
- Replaced `BasePaths` with `PermissionPaths` in `Role` struct for better permission granularity.
- Introduced JSON serialization for `PermissionPaths` using `RawPermission` field in `Role` struct.
- Implemented `BeforeSave` and `AfterFind` GORM hooks for handling `PermissionPaths` serialization.
- Refactored permission calculation logic in `role_perm.go` to work with `PermissionPaths`.
- Updated role creation logic to initialize `PermissionPaths` for `admin` and `guest` roles.
- Removed deprecated `CheckPathLimit` method from `Role` struct.
* fix(model/user/role): update permission settings for admin and role
- Change `RawPermission` field in `role.go` to hide JSON representation
- Update `Permission` field in `user.go` to `0xFFFF` for full access
- Modify `PermissionScopes` in `role.go` to `0xFFFF` for enhanced permissions
* 🔒 feat(role-permissions): Enhance role-based access control
- Introduce `canReadPathByRole` function in `role_perm.go` to verify path access based on user roles
- Modify `CanAccessWithRoles` to include role-based path read check
- Add `RoleNames` and `Permissions` to `UserResp` struct in `auth.go` for enhanced user role and permission details
- Implement role details aggregation in `auth.go` to populate `RoleNames` and `Permissions`
- Update `User` struct in `user.go` to include `RolesDetail` for more detailed role information
- Enhance middleware in `auth.go` to load and verify detailed role information for users
- Move `guest` user initialization logic in `user.go` to improve code organization and avoid repetition
* 🔒 fix(permissions): Add permission checks for archive operations
- Add `MergeRolePermissions` and `HasPermission` checks to validate user access for reading archives
- Ensure users have `PermReadArchives` before proceeding with `GetNearestMeta` in specific archive paths
- Implement permission checks for decompress operations, requiring `PermDecompress` for source paths
- Return `PermissionDenied` errors with 403 status if user lacks necessary permissions
* 🔒 fix(server): Add permission check for offline download
- Add permission merging logic for user roles
- Check user has permission for offline download addition
- Return error response with "permission denied" if check fails
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ✨ feat(role-permission): Implement path-based role permission checks
- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.
* ♻️ refactor(access-control): Update access control logic to use role-based checks
- Remove deprecated logic from `CanAccess` function in `check.go`, replacing it with `CanAccessWithRoles` for improved role-based access control.
- Modify calls in `search.go` to use `CanAccessWithRoles` for more precise handling of permissions.
- Update `fsread.go` to utilize `CanAccessWithRoles`, ensuring accurate access validation based on user roles.
- Simplify import statements in `check.go` by removing unused packages to clean up the codebase.
* ✨ feat(fs): Improve visibility logic for hidden files
- Import `server/common` package to handle permissions more robustly
- Update `whetherHide` function to use `MergeRolePermissions` for user-specific path permissions
- Replace direct user checks with `HasPermission` for `PermSeeHides`
- Enhance logic to ensure `nil` user cases are handled explicitly
* 标签管理
* feat(db/auth/user): Enhance role handling and clean permission paths
- Comment out role modification checks in `server/handles/user.go` to allow flexible role changes.
- Improve permission path handling in `server/handles/auth.go` by normalizing and deduplicating paths.
- Introduce `addedPaths` map in `CurrentUser` to prevent duplicate permissions.
* feat(storage/db): Implement role permissions path prefix update
- Add `UpdateRolePermissionsPathPrefix` function in `role.go` to update role permissions paths.
- Modify `storage.go` to call the new function when the mount path is renamed.
- Introduce path cleaning and prefix matching logic for accurate path updates.
- Ensure roles are updated only if their permission scopes are modified.
- Handle potential errors with informative messages during database operations.
* feat(role-migration): Implement role conversion and introduce NEWGENERAL role
- Add `NEWGENERAL` to the roles enumeration in `user.go`
- Create new file `convert_role.go` for migrating legacy roles to new model
- Implement `ConvertLegacyRoles` function to handle role conversion with permission scopes
- Add `convert_role.go` patch to `all.go` under version `v3.46.0`
* feat(role/auth): Add role retrieval by user ID and update path prefixes
- Add `GetRolesByUserID` function for efficient role retrieval by user ID
- Implement `UpdateUserBasePathPrefix` to update user base paths
- Modify `UpdateRolePermissionsPathPrefix` to return modified role IDs
- Update `auth.go` middleware to use the new role retrieval function
- Refresh role and user caches upon path prefix updates to maintain consistency
---------
Co-authored-by: Leslie-Xy <540049476@qq.com>
2025-07-26 09:51:59 +08:00
|
|
|
labelFileBinding.POST("/delete", handles.DelLabelByFileName)
|
2025-08-15 08:09:00 -07:00
|
|
|
labelFileBinding.POST("/restore", handles.RestoreLabelFileBinding)
|
|
|
|
|
|
2022-07-23 20:42:12 +08:00
|
|
|
}
|
2022-07-01 16:53:01 +08:00
|
|
|
|
2022-08-28 23:13:03 +08:00
|
|
|
func _fs(g *gin.RouterGroup) {
|
2022-07-23 20:42:12 +08:00
|
|
|
g.Any("/list", handles.FsList)
|
2022-11-28 13:45:25 +08:00
|
|
|
g.Any("/search", middlewares.SearchIndex, handles.Search)
|
2022-07-23 20:42:12 +08:00
|
|
|
g.Any("/get", handles.FsGet)
|
2022-09-11 19:12:54 +08:00
|
|
|
g.Any("/other", handles.FsOther)
|
2022-07-23 20:42:12 +08:00
|
|
|
g.Any("/dirs", handles.FsDirs)
|
|
|
|
|
g.POST("/mkdir", handles.FsMkdir)
|
|
|
|
|
g.POST("/rename", handles.FsRename)
|
2023-06-26 15:15:57 +08:00
|
|
|
g.POST("/batch_rename", handles.FsBatchRename)
|
2023-03-10 19:01:49 +08:00
|
|
|
g.POST("/regex_rename", handles.FsRegexRename)
|
2022-07-23 20:42:12 +08:00
|
|
|
g.POST("/move", handles.FsMove)
|
2023-03-10 19:01:49 +08:00
|
|
|
g.POST("/recursive_move", handles.FsRecursiveMove)
|
2022-07-23 20:42:12 +08:00
|
|
|
g.POST("/copy", handles.FsCopy)
|
|
|
|
|
g.POST("/remove", handles.FsRemove)
|
2023-04-13 15:39:21 +08:00
|
|
|
g.POST("/remove_empty_directory", handles.FsRemoveEmptyDirectory)
|
2025-02-16 12:22:11 +08:00
|
|
|
uploadLimiter := middlewares.UploadRateLimiter(stream.ClientUploadLimit)
|
|
|
|
|
g.PUT("/put", middlewares.FsUp, uploadLimiter, handles.FsStream)
|
|
|
|
|
g.PUT("/form", middlewares.FsUp, uploadLimiter, handles.FsForm)
|
2022-07-23 20:42:12 +08:00
|
|
|
g.POST("/link", middlewares.AuthAdmin, handles.Link)
|
2024-09-28 23:15:58 +08:00
|
|
|
// g.POST("/add_aria2", handles.AddOfflineDownload)
|
|
|
|
|
// g.POST("/add_qbit", handles.AddQbittorrent)
|
|
|
|
|
// g.POST("/add_transmission", handles.SetTransmission)
|
2023-11-06 16:56:55 +08:00
|
|
|
g.POST("/add_offline_download", handles.AddOfflineDownload)
|
2025-01-18 23:28:12 +08:00
|
|
|
a := g.Group("/archive")
|
|
|
|
|
a.Any("/meta", handles.FsArchiveMeta)
|
|
|
|
|
a.Any("/list", handles.FsArchiveList)
|
|
|
|
|
a.POST("/decompress", handles.FsArchiveDecompress)
|
2022-06-25 20:38:02 +08:00
|
|
|
}
|
|
|
|
|
|
2024-11-01 23:32:26 +08:00
|
|
|
func _task(g *gin.RouterGroup) {
|
|
|
|
|
handles.SetupTaskRoute(g)
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-15 08:09:00 -07:00
|
|
|
func _label(g *gin.RouterGroup) {
|
|
|
|
|
g.GET("/list", handles.ListLabel)
|
|
|
|
|
g.GET("/get", handles.GetLabel)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func _labelFileBinding(g *gin.RouterGroup) {
|
|
|
|
|
g.GET("/get", handles.GetLabelByFileName)
|
|
|
|
|
g.GET("/get_file_by_label", handles.GetFileByLabel)
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-23 20:45:57 +08:00
|
|
|
func Cors(r *gin.Engine) {
|
2022-06-25 20:38:02 +08:00
|
|
|
config := cors.DefaultConfig()
|
2024-09-28 23:15:58 +08:00
|
|
|
// config.AllowAllOrigins = true
|
2023-11-24 19:17:37 +08:00
|
|
|
config.AllowOrigins = conf.Conf.Cors.AllowOrigins
|
|
|
|
|
config.AllowHeaders = conf.Conf.Cors.AllowHeaders
|
|
|
|
|
config.AllowMethods = conf.Conf.Cors.AllowMethods
|
2022-06-25 20:38:02 +08:00
|
|
|
r.Use(cors.New(config))
|
|
|
|
|
}
|
2024-03-24 15:16:00 +08:00
|
|
|
|
|
|
|
|
func InitS3(e *gin.Engine) {
|
|
|
|
|
Cors(e)
|
|
|
|
|
S3Server(e.Group("/"))
|
|
|
|
|
}
|