fix: update default client ID and secret in baidu meta.go

cmd/common.go

@@ -1,7 +1,6 @@
 package cmd
 
 import (
-	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_46_0"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -17,12 +16,6 @@ func Init() {
 	bootstrap.InitConfig()
 	bootstrap.Log()
 	bootstrap.InitDB()
-
-	if v3_46_0.IsLegacyRoleDetected() {
-		utils.Log.Warnf("Detected legacy role format, executing ConvertLegacyRoles patch early...")
-		v3_46_0.ConvertLegacyRoles()
-	}
-
 	data.InitData()
 	bootstrap.InitStreamLimit()
 	bootstrap.InitIndex()

drivers/123/util.go

@@ -161,12 +161,12 @@ func (d *Pan123) login() error {
 	}
 	res, err := base.RestyClient.R().
 		SetHeaders(map[string]string{
-			"origin":  "https://www.123pan.com",
-			"referer": "https://www.123pan.com/",
-			//"user-agent":  "Dart/2.19(dart:io)-alist",
+			"origin":      "https://www.123pan.com",
+			"referer":     "https://www.123pan.com/",
+			"user-agent":  "Dart/2.19(dart:io)-alist",
 			"platform":    "web",
 			"app-version": "3",
-			"user-agent":  base.UserAgent,
+			//"user-agent":  base.UserAgent,
 		}).
 		SetBody(body).Post(SignIn)
 	if err != nil {
@@ -202,7 +202,7 @@ do:
 		"origin":        "https://www.123pan.com",
 		"referer":       "https://www.123pan.com/",
 		"authorization": "Bearer " + d.AccessToken,
-		"user-agent":    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
+		"user-agent":    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) alist-client",
 		"platform":      "web",
 		"app-version":   "3",
 		//"user-agent":    base.UserAgent,

drivers/alist_v3/driver.go

@@ -56,7 +56,7 @@ func (d *AListV3) Init(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	if utils.SliceContains(resp.Data.Role, model.GUEST) {
+	if resp.Data.Role == model.GUEST {
 		u := d.Address + "/api/public/settings"
 		res, err := base.RestyClient.R().Get(u)
 		if err != nil {

drivers/alist_v3/types.go

@@ -76,7 +76,7 @@ type MeResp struct {
 	Username   string `json:"username"`
 	Password   string `json:"password"`
 	BasePath   string `json:"base_path"`
-	Role       []int  `json:"role"`
+	Role       int    `json:"role"`
 	Disabled   bool   `json:"disabled"`
 	Permission int    `json:"permission"`
 	SsoId      string `json:"sso_id"`

drivers/aliyundrive/driver.go

@@ -55,7 +55,7 @@ func (d *AliDrive) Init(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	d.DriveId = d.Addition.DeviceID
+	d.DriveId = utils.Json.Get(res, "default_drive_id").ToString()
 	d.UserID = utils.Json.Get(res, "user_id").ToString()
 	d.cron = cron.NewCron(time.Hour * 2)
 	d.cron.Do(func() {

drivers/aliyundrive/meta.go

@@ -7,8 +7,8 @@ import (
 
 type Addition struct {
 	driver.RootID
-	RefreshToken   string `json:"refresh_token" required:"true"`
-	DeviceID       string `json:"device_id" required:"true"`
+	RefreshToken string `json:"refresh_token" required:"true"`
+	//DeviceID       string `json:"device_id" required:"true"`
 	OrderBy        string `json:"order_by" type:"select" options:"name,size,updated_at,created_at"`
 	OrderDirection string `json:"order_direction" type:"select" options:"ASC,DESC"`
 	RapidUpload    bool   `json:"rapid_upload"`

drivers/baidu_netdisk/meta.go

@@ -11,8 +11,8 @@ type Addition struct {
 	OrderBy               string `json:"order_by" type:"select" options:"name,time,size" default:"name"`
 	OrderDirection        string `json:"order_direction" type:"select" options:"asc,desc" default:"asc"`
 	DownloadAPI           string `json:"download_api" type:"select" options:"official,crack,crack_video" default:"official"`
-	ClientID              string `json:"client_id" required:"true" default:"iYCeC9g08h5vuP9UqvPHKKSVrKFXGa1v"`
-	ClientSecret          string `json:"client_secret" required:"true" default:"jXiFMOPVPCWlO2M5CwWQzffpNPaGTRBG"`
+	ClientID              string `json:"client_id" required:"true" default:"hq9yQ9w9kR4YHj1kyYafLygVocobh7Sf"`
+	ClientSecret          string `json:"client_secret" required:"true" default:"YH2VpZcFJHYNnV6vLfHQXDBhcE7ZChyE"`
 	CustomCrackUA         string `json:"custom_crack_ua" required:"true" default:"netdisk"`
 	AccessToken           string
 	UploadThread          string `json:"upload_thread" default:"3" help:"1<=thread<=32"`

drivers/github_releases/driver.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
-	"sync"
 
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/errs"
@@ -37,130 +36,88 @@ func (d *GithubReleases) Drop(ctx context.Context) error {
 	return nil
 }
 
-// processPoint 处理单个挂载点的文件列表
-func (d *GithubReleases) processPoint(point *MountPoint, path string, args model.ListArgs) []File {
-	var pointFiles []File
-
-	if !d.Addition.ShowAllVersion { // latest
-		point.RequestLatestRelease(d.GetRequest, args.Refresh)
-		pointFiles = d.processLatestVersion(point, path)
-	} else { // all version
-		point.RequestReleases(d.GetRequest, args.Refresh)
-		pointFiles = d.processAllVersions(point, path)
-	}
-
-	return pointFiles
-}
-
-// processLatestVersion 处理最新版本的逻辑
-func (d *GithubReleases) processLatestVersion(point *MountPoint, path string) []File {
-	var pointFiles []File
-
-	if point.Point == path { // 与仓库路径相同
-		pointFiles = append(pointFiles, point.GetLatestRelease()...)
-		if d.Addition.ShowReadme {
-			files := point.GetOtherFile(d.GetRequest, false)
-			pointFiles = append(pointFiles, files...)
-		}
-	} else if strings.HasPrefix(point.Point, path) { // 仓库目录的父目录
-		nextDir := GetNextDir(point.Point, path)
-		if nextDir != "" {
-			dirFile := File{
-				Path:     path + "/" + nextDir,
-				FileName: nextDir,
-				Size:     point.GetLatestSize(),
-				UpdateAt: point.Release.PublishedAt,
-				CreateAt: point.Release.CreatedAt,
-				Type:     "dir",
-				Url:      "",
-			}
-			pointFiles = append(pointFiles, dirFile)
-		}
-	}
-
-	return pointFiles
-}
-
-// processAllVersions 处理所有版本的逻辑
-func (d *GithubReleases) processAllVersions(point *MountPoint, path string) []File {
-	var pointFiles []File
-
-	if point.Point == path { // 与仓库路径相同
-		pointFiles = append(pointFiles, point.GetAllVersion()...)
-		if d.Addition.ShowReadme {
-			files := point.GetOtherFile(d.GetRequest, false)
-			pointFiles = append(pointFiles, files...)
-		}
-	} else if strings.HasPrefix(point.Point, path) { // 仓库目录的父目录
-		nextDir := GetNextDir(point.Point, path)
-		if nextDir != "" {
-			dirFile := File{
-				FileName: nextDir,
-				Path:     path + "/" + nextDir,
-				Size:     point.GetAllVersionSize(),
-				UpdateAt: (*point.Releases)[0].PublishedAt,
-				CreateAt: (*point.Releases)[0].CreatedAt,
-				Type:     "dir",
-				Url:      "",
-			}
-			pointFiles = append(pointFiles, dirFile)
-		}
-	} else if strings.HasPrefix(path, point.Point) { // 仓库目录的子目录
-		tagName := GetNextDir(path, point.Point)
-		if tagName != "" {
-			pointFiles = append(pointFiles, point.GetReleaseByTagName(tagName)...)
-		}
-	}
-
-	return pointFiles
-}
-
-// mergeFiles 合并文件列表，处理重复目录
-func (d *GithubReleases) mergeFiles(files *[]File, newFiles []File) {
-	for _, newFile := range newFiles {
-		if newFile.Type == "dir" {
-			hasSameDir := false
-			for index := range *files {
-				if (*files)[index].GetName() == newFile.GetName() && (*files)[index].Type == "dir" {
-					hasSameDir = true
-					(*files)[index].Size += newFile.Size
-					break
-				}
-			}
-			if !hasSameDir {
-				*files = append(*files, newFile)
-			}
-		} else {
-			*files = append(*files, newFile)
-		}
-	}
-}
-
 func (d *GithubReleases) List(ctx context.Context, dir model.Obj, args model.ListArgs) ([]model.Obj, error) {
 	files := make([]File, 0)
 	path := fmt.Sprintf("/%s", strings.Trim(dir.GetPath(), "/"))
 
-	if d.Addition.ConcurrentRequests && d.Addition.Token != "" { // 并发处理
-		var mu sync.Mutex
-		var wg sync.WaitGroup
+	for i := range d.points {
+		point := &d.points[i]
 
-		for i := range d.points {
-			wg.Add(1)
-			go func(point *MountPoint) {
-				defer wg.Done()
-				pointFiles := d.processPoint(point, path, args)
+		if !d.Addition.ShowAllVersion { // latest
+			point.RequestRelease(d.GetRequest, args.Refresh)
 
-				mu.Lock()
-				d.mergeFiles(&files, pointFiles)
-				mu.Unlock()
-			}(&d.points[i])
-		}
-		wg.Wait()
-	} else { // 串行处理
-		for i := range d.points {
-			point := &d.points[i]
-			pointFiles := d.processPoint(point, path, args)
-			d.mergeFiles(&files, pointFiles)
+			if point.Point == path { // 与仓库路径相同
+				files = append(files, point.GetLatestRelease()...)
+				if d.Addition.ShowReadme {
+					files = append(files, point.GetOtherFile(d.GetRequest, args.Refresh)...)
+				}
+			} else if strings.HasPrefix(point.Point, path) { // 仓库目录的父目录
+				nextDir := GetNextDir(point.Point, path)
+				if nextDir == "" {
+					continue
+				}
+
+				hasSameDir := false
+				for index := range files {
+					if files[index].GetName() == nextDir {
+						hasSameDir = true
+						files[index].Size += point.GetLatestSize()
+						break
+					}
+				}
+				if !hasSameDir {
+					files = append(files, File{
+						Path:     path + "/" + nextDir,
+						FileName: nextDir,
+						Size:     point.GetLatestSize(),
+						UpdateAt: point.Release.PublishedAt,
+						CreateAt: point.Release.CreatedAt,
+						Type:     "dir",
+						Url:      "",
+					})
+				}
+			}
+		} else { // all version
+			point.RequestReleases(d.GetRequest, args.Refresh)
+
+			if point.Point == path { // 与仓库路径相同
+				files = append(files, point.GetAllVersion()...)
+				if d.Addition.ShowReadme {
+					files = append(files, point.GetOtherFile(d.GetRequest, args.Refresh)...)
+				}
+			} else if strings.HasPrefix(point.Point, path) { // 仓库目录的父目录
+				nextDir := GetNextDir(point.Point, path)
+				if nextDir == "" {
+					continue
+				}
+
+				hasSameDir := false
+				for index := range files {
+					if files[index].GetName() == nextDir {
+						hasSameDir = true
+						files[index].Size += point.GetAllVersionSize()
+						break
+					}
+				}
+				if !hasSameDir {
+					files = append(files, File{
+						FileName: nextDir,
+						Path:     path + "/" + nextDir,
+						Size:     point.GetAllVersionSize(),
+						UpdateAt: (*point.Releases)[0].PublishedAt,
+						CreateAt: (*point.Releases)[0].CreatedAt,
+						Type:     "dir",
+						Url:      "",
+					})
+				}
+			} else if strings.HasPrefix(path, point.Point) { // 仓库目录的子目录
+				tagName := GetNextDir(path, point.Point)
+				if tagName == "" {
+					continue
+				}
+
+				files = append(files, point.GetReleaseByTagName(tagName)...)
+			}
 		}
 	}
 

drivers/github_releases/meta.go

@@ -7,12 +7,11 @@ import (
 
 type Addition struct {
 	driver.RootID
-	RepoStructure      string `json:"repo_structure" type:"text" required:"true" default:"alistGo/alist" help:"structure:[path:]org/repo"`
-	ShowReadme         bool   `json:"show_readme" type:"bool" default:"true" help:"show README、LICENSE file"`
-	Token              string `json:"token" type:"string" required:"false" help:"GitHub token, if you want to access private repositories or increase the rate limit"`
-	ShowAllVersion     bool   `json:"show_all_version" type:"bool" default:"false" help:"show all versions"`
-	ConcurrentRequests bool   `json:"concurrent_requests" type:"bool" default:"false" help:"To concurrently request the GitHub API, you must enter a GitHub token"`
-	GitHubProxy        string `json:"gh_proxy" type:"string" default:"" help:"GitHub proxy, e.g. https://ghproxy.net/github.com or https://gh-proxy.com/github.com "`
+	RepoStructure  string `json:"repo_structure" type:"text" required:"true" default:"alistGo/alist" help:"structure:[path:]org/repo"`
+	ShowReadme     bool   `json:"show_readme" type:"bool" default:"true" help:"show README、LICENSE file"`
+	Token          string `json:"token" type:"string" required:"false" help:"GitHub token, if you want to access private repositories or increase the rate limit"`
+	ShowAllVersion bool   `json:"show_all_version" type:"bool" default:"false" help:"show all versions"`
+	GitHubProxy    string `json:"gh_proxy" type:"string" default:"" help:"GitHub proxy, e.g. https://ghproxy.net/github.com or https://gh-proxy.com/github.com "`
 }
 
 var config = driver.Config{

drivers/github_releases/types.go

@@ -18,7 +18,7 @@ type MountPoint struct {
 }
 
 // 请求最新版本
-func (m *MountPoint) RequestLatestRelease(get func(url string) (*resty.Response, error), refresh bool) {
+func (m *MountPoint) RequestRelease(get func(url string) (*resty.Response, error), refresh bool) {
 	if m.Repo == "" {
 		return
 	}

drivers/github_releases/util.go

@@ -6,8 +6,8 @@ import (
 	"strings"
 
 	"github.com/alist-org/alist/v3/drivers/base"
-	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/go-resty/resty/v2"
+	log "github.com/sirupsen/logrus"
 )
 
 // 发送 GET 请求
@@ -23,7 +23,7 @@ func (d *GithubReleases) GetRequest(url string) (*resty.Response, error) {
 		return nil, err
 	}
 	if res.StatusCode() != 200 {
-		utils.Log.Warnf("failed to get request: %s %d %s", url, res.StatusCode(), res.String())
+		log.Warn("failed to get request: ", res.StatusCode(), res.String())
 	}
 	return res, nil
 }

drivers/quqi/types.go

@@ -83,7 +83,7 @@ type Group struct {
 	Type            int    `json:"type"`
 	Name            string `json:"name"`
 	IsAdministrator int    `json:"is_administrator"`
-	Role            []int  `json:"role"`
+	Role            int    `json:"role"`
 	Avatar          string `json:"avatar_url"`
 	IsStick         int    `json:"is_stick"`
 	Nickname        string `json:"nickname"`

internal/bootstrap/data/data.go

@@ -3,7 +3,6 @@ package data
 import "github.com/alist-org/alist/v3/cmd/flags"
 
 func InitData() {
-	initRoles()
 	initUser()
 	initSettings()
 	initTasks()

internal/bootstrap/data/dev.go

@@ -26,7 +26,7 @@ func initDevData() {
 		Username:   "Noah",
 		Password:   "hsu",
 		BasePath:   "/data",
-		Role:       nil,
+		Role:       0,
 		Permission: 512,
 	})
 	if err != nil {

internal/bootstrap/data/role.go

@@ -1,52 +0,0 @@
-package data
-
-// initRoles creates the default admin and guest roles if missing.
-// These roles are essential and must not be modified or removed.
-
-import (
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/pkg/utils"
-	"github.com/pkg/errors"
-	"gorm.io/gorm"
-)
-
-func initRoles() {
-	guestRole, err := op.GetRoleByName("guest")
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			guestRole = &model.Role{
-				ID:          uint(model.GUEST),
-				Name:        "guest",
-				Description: "Guest",
-				PermissionScopes: []model.PermissionEntry{
-					{Path: "/", Permission: 0},
-				},
-			}
-			if err := op.CreateRole(guestRole); err != nil {
-				utils.Log.Fatalf("[init role] Failed to create guest role: %v", err)
-			}
-		} else {
-			utils.Log.Fatalf("[init role] Failed to get guest role: %v", err)
-		}
-	}
-
-	_, err = op.GetRoleByName("admin")
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			adminRole := &model.Role{
-				ID:          uint(model.ADMIN),
-				Name:        "admin",
-				Description: "Administrator",
-				PermissionScopes: []model.PermissionEntry{
-					{Path: "/", Permission: 0xFFFF},
-				},
-			}
-			if err := op.CreateRole(adminRole); err != nil {
-				utils.Log.Fatalf("[init role] Failed to create admin role: %v", err)
-			}
-		} else {
-			utils.Log.Fatalf("[init role] Failed to get admin role: %v", err)
-		}
-	}
-}

internal/bootstrap/data/user.go

@@ -1,10 +1,10 @@
 package data
 
 import (
-	"github.com/alist-org/alist/v3/internal/db"
 	"os"
 
 	"github.com/alist-org/alist/v3/cmd/flags"
+	"github.com/alist-org/alist/v3/internal/db"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/utils"
@@ -14,16 +14,45 @@ import (
 )
 
 func initUser() {
+	admin, err := op.GetAdmin()
+	adminPassword := random.String(8)
+	envpass := os.Getenv("ALIST_ADMIN_PASSWORD")
+	if flags.Dev {
+		adminPassword = "admin"
+	} else if len(envpass) > 0 {
+		adminPassword = envpass
+	}
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			salt := random.String(16)
+			admin = &model.User{
+				Username: "admin",
+				Salt:     salt,
+				PwdHash:  model.TwoHashPwd(adminPassword, salt),
+				Role:     model.ADMIN,
+				BasePath: "/",
+				Authn:    "[]",
+				// 0(can see hidden) - 7(can remove) & 12(can read archives) - 13(can decompress archives)
+				Permission: 0x30FF,
+			}
+			if err := op.CreateUser(admin); err != nil {
+				panic(err)
+			} else {
+				utils.Log.Infof("Successfully created the admin user and the initial password is: %s", adminPassword)
+			}
+		} else {
+			utils.Log.Fatalf("[init user] Failed to get admin user: %v", err)
+		}
+	}
 	guest, err := op.GetGuest()
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			salt := random.String(16)
-			guestRole, _ := op.GetRoleByName("guest")
 			guest = &model.User{
 				Username:   "guest",
 				PwdHash:    model.TwoHashPwd("guest", salt),
 				Salt:       salt,
-				Role:       model.Roles{int(guestRole.ID)},
+				Role:       model.GUEST,
 				BasePath:   "/",
 				Permission: 0,
 				Disabled:   true,
@@ -36,35 +65,4 @@ func initUser() {
 			utils.Log.Fatalf("[init user] Failed to get guest user: %v", err)
 		}
 	}
-	admin, err := op.GetAdmin()
-	adminPassword := random.String(8)
-	envpass := os.Getenv("ALIST_ADMIN_PASSWORD")
-	if flags.Dev {
-		adminPassword = "admin"
-	} else if len(envpass) > 0 {
-		adminPassword = envpass
-	}
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			salt := random.String(16)
-			adminRole, _ := op.GetRoleByName("admin")
-			admin = &model.User{
-				Username: "admin",
-				Salt:     salt,
-				PwdHash:  model.TwoHashPwd(adminPassword, salt),
-				Role:     model.Roles{int(adminRole.ID)},
-				BasePath: "/",
-				Authn:    "[]",
-				// 0(can see hidden) - 7(can remove) & 12(can read archives) - 13(can decompress archives)
-				Permission: 0xFFFF,
-			}
-			if err := op.CreateUser(admin); err != nil {
-				panic(err)
-			} else {
-				utils.Log.Infof("Successfully created the admin user and the initial password is: %s", adminPassword)
-			}
-		} else {
-			utils.Log.Fatalf("[init user] Failed to get admin user: %v", err)
-		}
-	}
 }

internal/bootstrap/patch/all.go

@@ -4,7 +4,6 @@ import (
 	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_24_0"
 	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_32_0"
 	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_41_0"
-	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_46_0"
 )
 
 type VersionPatches struct {
@@ -33,10 +32,4 @@ var UpgradePatches = []VersionPatches{
 			v3_41_0.GrantAdminPermissions,
 		},
 	},
-	{
-		Version: "v3.46.0",
-		Patches: []func(){
-			v3_46_0.ConvertLegacyRoles,
-		},
-	},
 }

internal/bootstrap/patch/v3_46_0/convert_role.go

@@ -1,186 +0,0 @@
-package v3_46_0
-
-import (
-	"database/sql"
-	"encoding/json"
-	"errors"
-	"github.com/alist-org/alist/v3/internal/conf"
-	"github.com/alist-org/alist/v3/internal/db"
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/pkg/utils"
-	"gorm.io/gorm"
-)
-
-// ConvertLegacyRoles migrates old integer role values to a new role model with permission scopes.
-func ConvertLegacyRoles() {
-	guestRole, err := op.GetRoleByName("guest")
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			guestRole = &model.Role{
-				ID:          uint(model.GUEST),
-				Name:        "guest",
-				Description: "Guest",
-				PermissionScopes: []model.PermissionEntry{
-					{
-						Path:       "/",
-						Permission: 0,
-					},
-				},
-			}
-			if err = op.CreateRole(guestRole); err != nil {
-				utils.Log.Errorf("[convert roles] failed to create guest role: %v", err)
-				return
-			}
-		} else {
-			utils.Log.Errorf("[convert roles] failed to get guest role: %v", err)
-			return
-		}
-	}
-
-	adminRole, err := op.GetRoleByName("admin")
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			adminRole = &model.Role{
-				ID:          uint(model.ADMIN),
-				Name:        "admin",
-				Description: "Administrator",
-				PermissionScopes: []model.PermissionEntry{
-					{
-						Path:       "/",
-						Permission: 0x33FF,
-					},
-				},
-			}
-			if err = op.CreateRole(adminRole); err != nil {
-				utils.Log.Errorf("[convert roles] failed to create admin role: %v", err)
-				return
-			}
-		} else {
-			utils.Log.Errorf("[convert roles] failed to get admin role: %v", err)
-			return
-		}
-	}
-
-	generalRole, err := op.GetRoleByName("general")
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			generalRole = &model.Role{
-				ID:          uint(model.NEWGENERAL),
-				Name:        "general",
-				Description: "General User",
-				PermissionScopes: []model.PermissionEntry{
-					{
-						Path:       "/",
-						Permission: 0,
-					},
-				},
-			}
-			if err = op.CreateRole(generalRole); err != nil {
-				utils.Log.Errorf("[convert roles] failed create general role: %v", err)
-				return
-			}
-		} else {
-			utils.Log.Errorf("[convert roles] failed get general role: %v", err)
-			return
-		}
-	}
-
-	rawDb := db.GetDb()
-	table := conf.Conf.Database.TablePrefix + "users"
-	rows, err := rawDb.Table(table).Select("id, username, role").Rows()
-	if err != nil {
-		utils.Log.Errorf("[convert roles] failed to get users: %v", err)
-		return
-	}
-	defer rows.Close()
-
-	var updatedCount int
-	for rows.Next() {
-		var id uint
-		var username string
-		var rawRole []byte
-
-		if err := rows.Scan(&id, &username, &rawRole); err != nil {
-			utils.Log.Warnf("[convert roles] skip user scan err: %v", err)
-			continue
-		}
-
-		utils.Log.Debugf("[convert roles] user: %s raw role: %s", username, string(rawRole))
-
-		if len(rawRole) == 0 {
-			continue
-		}
-
-		var oldRoles []int
-		wasSingleInt := false
-		if err := json.Unmarshal(rawRole, &oldRoles); err != nil {
-			var single int
-			if err := json.Unmarshal(rawRole, &single); err != nil {
-				utils.Log.Warnf("[convert roles] user %s has invalid role: %s", username, string(rawRole))
-				continue
-			}
-			oldRoles = []int{single}
-			wasSingleInt = true
-		}
-
-		var newRoles model.Roles
-		for _, r := range oldRoles {
-			switch r {
-			case model.ADMIN:
-				newRoles = append(newRoles, int(adminRole.ID))
-			case model.GUEST:
-				newRoles = append(newRoles, int(guestRole.ID))
-			case model.GENERAL:
-				newRoles = append(newRoles, int(generalRole.ID))
-			default:
-				newRoles = append(newRoles, r)
-			}
-		}
-
-		if wasSingleInt {
-			err := rawDb.Table(table).Where("id = ?", id).Update("role", newRoles).Error
-			if err != nil {
-				utils.Log.Errorf("[convert roles] failed to update user %s: %v", username, err)
-			} else {
-				updatedCount++
-				utils.Log.Infof("[convert roles] updated user %s: %v → %v", username, oldRoles, newRoles)
-			}
-		}
-	}
-
-	utils.Log.Infof("[convert roles] completed role conversion for %d users", updatedCount)
-}
-
-func IsLegacyRoleDetected() bool {
-	rawDb := db.GetDb()
-	table := conf.Conf.Database.TablePrefix + "users"
-	rows, err := rawDb.Table(table).Select("role").Rows()
-	if err != nil {
-		utils.Log.Errorf("[role check] failed to scan user roles: %v", err)
-		return false
-	}
-	defer rows.Close()
-
-	for rows.Next() {
-		var raw sql.RawBytes
-		if err := rows.Scan(&raw); err != nil {
-			continue
-		}
-		if len(raw) == 0 {
-			continue
-		}
-
-		var roles []int
-		if err := json.Unmarshal(raw, &roles); err == nil {
-			continue
-		}
-
-		var single int
-		if err := json.Unmarshal(raw, &single); err == nil {
-			utils.Log.Infof("[role check] detected legacy int role: %d", single)
-			return true
-		}
-	}
-	return false
-}

internal/db/db.go

@@ -12,7 +12,7 @@ var db *gorm.DB
 
 func Init(d *gorm.DB) {
 	db = d
-	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey), new(model.Role), new(model.Label), new(model.LabelFileBinDing), new(model.ObjFile))
+	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey))
 	if err != nil {
 		log.Fatalf("failed migrate database: %s", err.Error())
 	}

internal/db/label.go

@@ -1,79 +0,0 @@
-package db
-
-import (
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/pkg/errors"
-	"gorm.io/gorm"
-	"time"
-)
-
-// GetLabels Get all label from database order by id
-func GetLabels(pageIndex, pageSize int) ([]model.Label, int64, error) {
-	labelDB := db.Model(&model.Label{})
-	var count int64
-	if err := labelDB.Count(&count).Error; err != nil {
-		return nil, 0, errors.Wrapf(err, "failed get label count")
-	}
-	var labels []model.Label
-	if err := labelDB.Order(columnName("id")).Offset((pageIndex - 1) * pageSize).Limit(pageSize).Find(&labels).Error; err != nil {
-		return nil, 0, errors.WithStack(err)
-	}
-	return labels, count, nil
-}
-
-// GetLabelById Get Label by id, used to update label usually
-func GetLabelById(id uint) (*model.Label, error) {
-	var label model.Label
-	label.ID = id
-	if err := db.First(&label).Error; err != nil {
-		return nil, errors.WithStack(err)
-	}
-	return &label, nil
-}
-
-// CreateLabel just insert label to database
-func CreateLabel(label model.Label) (uint, error) {
-	label.CreateTime = time.Now()
-	err := errors.WithStack(db.Create(&label).Error)
-	if err != nil {
-		return label.ID, errors.WithMessage(err, "failed create label in database")
-	}
-	return label.ID, nil
-}
-
-// UpdateLabel just update storage in database
-func UpdateLabel(label *model.Label) (*model.Label, error) {
-	label.CreateTime = time.Now()
-	_, err := GetLabelById(label.ID)
-	if err != nil {
-		return nil, errors.WithMessage(err, "failed get old label")
-	}
-	err = errors.WithStack(db.Save(label).Error)
-	if err != nil {
-		return nil, errors.WithMessage(err, "failed create label in database")
-	}
-	return label, nil
-}
-
-// DeleteLabelById just delete label from database by id
-func DeleteLabelById(id uint) error {
-	return errors.WithStack(db.Delete(&model.Label{}, id).Error)
-}
-
-// GetLabelByIds Get label from database order by ids
-func GetLabelByIds(ids []uint) ([]model.Label, error) {
-	labelDB := db.Model(&model.Label{})
-	var labels []model.Label
-	if err := labelDB.Where(ids).Find(&labels).Error; err != nil {
-		return nil, errors.WithStack(err)
-	}
-	return labels, nil
-}
-
-// GetLabelByName Get Label by name
-func GetLabelByName(name string) bool {
-	var label model.Label
-	result := db.Where("name = ?", name).First(&label)
-	exists := !errors.Is(result.Error, gorm.ErrRecordNotFound)
-	return exists
-}

internal/db/label_file_binding.go

@@ -1,56 +0,0 @@
-package db
-
-import (
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/pkg/errors"
-	"gorm.io/gorm"
-	"time"
-)
-
-// GetLabelIds Get all label_ids from database order by file_name
-func GetLabelIds(userId uint, fileName string) ([]uint, error) {
-	labelFileBinDingDB := db.Model(&model.LabelFileBinDing{})
-	var labelIds []uint
-	if err := labelFileBinDingDB.Where("file_name = ?", fileName).Where("user_id = ?", userId).Pluck("label_id", &labelIds).Error; err != nil {
-		return nil, errors.WithStack(err)
-	}
-	return labelIds, nil
-}
-
-func CreateLabelFileBinDing(fileName string, labelId, userId uint) error {
-	var labelFileBinDing model.LabelFileBinDing
-	labelFileBinDing.UserId = userId
-	labelFileBinDing.LabelId = labelId
-	labelFileBinDing.FileName = fileName
-	labelFileBinDing.CreateTime = time.Now()
-	err := errors.WithStack(db.Create(&labelFileBinDing).Error)
-	if err != nil {
-		return errors.WithMessage(err, "failed create label in database")
-	}
-	return nil
-}
-
-// GetLabelFileBinDingByLabelIdExists Get Label by label_id, used to del label usually
-func GetLabelFileBinDingByLabelIdExists(labelId, userId uint) bool {
-	var labelFileBinDing model.LabelFileBinDing
-	result := db.Where("label_id = ?", labelId).Where("user_id = ?", userId).First(&labelFileBinDing)
-	exists := !errors.Is(result.Error, gorm.ErrRecordNotFound)
-	return exists
-}
-
-// DelLabelFileBinDingByFileName used to del usually
-func DelLabelFileBinDingByFileName(userId uint, fileName string) error {
-	return errors.WithStack(db.Where("file_name = ?", fileName).Where("user_id = ?", userId).Delete(model.LabelFileBinDing{}).Error)
-}
-
-// DelLabelFileBinDingById used to del usually
-func DelLabelFileBinDingById(labelId, userId uint, fileName string) error {
-	return errors.WithStack(db.Where("label_id = ?", labelId).Where("file_name = ?", fileName).Where("user_id = ?", userId).Delete(model.LabelFileBinDing{}).Error)
-}
-
-func GetLabelFileBinDingByLabelId(labelIds []uint, userId uint) (result []model.LabelFileBinDing, err error) {
-	if err := db.Where("label_id in (?)", labelIds).Where("user_id = ?", userId).Find(&result).Error; err != nil {
-		return nil, errors.WithStack(err)
-	}
-	return result, nil
-}

internal/db/obj_file.go

@@ -1,31 +0,0 @@
-package db
-
-import (
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/pkg/errors"
-	"gorm.io/gorm"
-)
-
-// GetFileByNameExists Get file by name
-func GetFileByNameExists(name string) bool {
-	var label model.ObjFile
-	result := db.Where("name = ?", name).First(&label)
-	exists := !errors.Is(result.Error, gorm.ErrRecordNotFound)
-	return exists
-}
-
-// GetFileByName Get file by name
-func GetFileByName(name string, userId uint) (objFile model.ObjFile, err error) {
-	if err = db.Where("name = ?", name).Where("user_id = ?", userId).First(&objFile).Error; err != nil {
-		return objFile, errors.WithStack(err)
-	}
-	return objFile, nil
-}
-
-func CreateObjFile(obj model.ObjFile) error {
-	err := errors.WithStack(db.Create(&obj).Error)
-	if err != nil {
-		return errors.WithMessage(err, "failed create file in database")
-	}
-	return nil
-}

internal/db/role.go

@@ -1,79 +0,0 @@
-package db
-
-import (
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/pkg/errors"
-	"path"
-	"strings"
-)
-
-func GetRole(id uint) (*model.Role, error) {
-	var r model.Role
-	if err := db.First(&r, id).Error; err != nil {
-		return nil, errors.Wrapf(err, "failed get role")
-	}
-	return &r, nil
-}
-
-func GetRoleByName(name string) (*model.Role, error) {
-	r := model.Role{Name: name}
-	if err := db.Where(r).First(&r).Error; err != nil {
-		return nil, errors.Wrapf(err, "failed get role")
-	}
-	return &r, nil
-}
-
-func GetRoles(pageIndex, pageSize int) (roles []model.Role, count int64, err error) {
-	roleDB := db.Model(&model.Role{})
-	if err = roleDB.Count(&count).Error; err != nil {
-		return nil, 0, errors.Wrapf(err, "failed get roles count")
-	}
-	if err = roleDB.Order(columnName("id")).Offset((pageIndex - 1) * pageSize).Limit(pageSize).Find(&roles).Error; err != nil {
-		return nil, 0, errors.Wrapf(err, "failed get find roles")
-	}
-	return roles, count, nil
-}
-
-func CreateRole(r *model.Role) error {
-	return errors.WithStack(db.Create(r).Error)
-}
-
-func UpdateRole(r *model.Role) error {
-	return errors.WithStack(db.Save(r).Error)
-}
-
-func DeleteRole(id uint) error {
-	return errors.WithStack(db.Delete(&model.Role{}, id).Error)
-}
-
-func UpdateRolePermissionsPathPrefix(oldPath, newPath string) ([]uint, error) {
-	var roles []model.Role
-	var modifiedRoleIDs []uint
-
-	if err := db.Find(&roles).Error; err != nil {
-		return nil, errors.WithMessage(err, "failed to load roles")
-	}
-
-	for _, role := range roles {
-		updated := false
-		for i, entry := range role.PermissionScopes {
-			entryPath := path.Clean(entry.Path)
-			oldPathClean := path.Clean(oldPath)
-
-			if entryPath == oldPathClean {
-				role.PermissionScopes[i].Path = newPath
-				updated = true
-			} else if strings.HasPrefix(entryPath, oldPathClean+"/") {
-				role.PermissionScopes[i].Path = newPath + entryPath[len(oldPathClean):]
-				updated = true
-			}
-		}
-		if updated {
-			if err := UpdateRole(&role); err != nil {
-				return nil, errors.WithMessagef(err, "failed to update role ID %d", role.ID)
-			}
-			modifiedRoleIDs = append(modifiedRoleIDs, role.ID)
-		}
-	}
-	return modifiedRoleIDs, nil
-}

internal/db/user.go

@@ -2,26 +2,19 @@ package db
 
 import (
 	"encoding/base64"
+
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/pkg/errors"
-	"gorm.io/gorm"
-	"path"
-	"strings"
 )
 
 func GetUserByRole(role int) (*model.User, error) {
-	var users []model.User
-	if err := db.Find(&users).Error; err != nil {
+	user := model.User{Role: role}
+	if err := db.Where(user).Take(&user).Error; err != nil {
 		return nil, err
 	}
-	for i := range users {
-		if users[i].Role.Contains(role) {
-			return &users[i], nil
-		}
-	}
-	return nil, gorm.ErrRecordNotFound
+	return &user, nil
 }
 
 func GetUserByName(username string) (*model.User, error) {
@@ -107,36 +100,3 @@ func RemoveAuthn(u *model.User, id string) error {
 	}
 	return UpdateAuthn(u.ID, string(res))
 }
-
-func UpdateUserBasePathPrefix(oldPath, newPath string) ([]string, error) {
-	var users []model.User
-	var modifiedUsernames []string
-
-	if err := db.Find(&users).Error; err != nil {
-		return nil, errors.WithMessage(err, "failed to load users")
-	}
-
-	oldPathClean := path.Clean(oldPath)
-
-	for _, user := range users {
-		basePath := path.Clean(user.BasePath)
-		updated := false
-
-		if basePath == oldPathClean {
-			user.BasePath = newPath
-			updated = true
-		} else if strings.HasPrefix(basePath, oldPathClean+"/") {
-			user.BasePath = newPath + basePath[len(oldPathClean):]
-			updated = true
-		}
-
-		if updated {
-			if err := UpdateUser(&user); err != nil {
-				return nil, errors.WithMessagef(err, "failed to update user ID %d", user.ID)
-			}
-			modifiedUsernames = append(modifiedUsernames, user.Username)
-		}
-	}
-
-	return modifiedUsernames, nil
-}

internal/errs/role.go

@@ -1,7 +0,0 @@
-package errs
-
-import "errors"
-
-var (
-	ErrChangeDefaultRole = errors.New("cannot modify admin or guest role")
-)

internal/fs/list.go

@@ -6,7 +6,6 @@ import (
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/utils"
-	"github.com/alist-org/alist/v3/server/common"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 )
@@ -46,13 +45,8 @@ func list(ctx context.Context, path string, args *ListArgs) ([]model.Obj, error)
 }
 
 func whetherHide(user *model.User, meta *model.Meta, path string) bool {
-	// if user is nil, don't hide
-	if user == nil {
-		return false
-	}
-	perm := common.MergeRolePermissions(user, path)
-	// if user has see-hides permission, don't hide
-	if common.HasPermission(perm, common.PermSeeHides) {
+	// if is admin, don't hide
+	if user == nil || user.CanSeeHides() {
 		return false
 	}
 	// if meta is nil, don't hide

internal/model/label.go

@@ -1,12 +0,0 @@
-package model
-
-import "time"
-
-type Label struct {
-	ID          uint      `json:"id" gorm:"primaryKey"` // unique key
-	Type        int       `json:"type"`                 // use to type
-	Name        string    `json:"name"`                 // use to name
-	Description string    `json:"description"`          // use to description
-	BgColor     string    `json:"bg_color"`             // use to bg_color
-	CreateTime  time.Time `json:"create_time"`
-}

internal/model/label_file_binding.go

@@ -1,11 +0,0 @@
-package model
-
-import "time"
-
-type LabelFileBinDing struct {
-	ID         uint      `json:"id" gorm:"primaryKey"` // unique key
-	UserId     uint      `json:"user_id"`              // use to user_id
-	LabelId    uint      `json:"label_id"`             // use to label_id
-	FileName   string    `json:"file_name"`            // use to file_name
-	CreateTime time.Time `json:"create_time"`
-}

internal/model/obj_file.go

@@ -1,18 +0,0 @@
-package model
-
-import "time"
-
-type ObjFile struct {
-	Id          string    `json:"id"`
-	UserId      uint      `json:"user_id"`
-	Path        string    `json:"path"`
-	Name        string    `json:"name"`
-	Size        int64     `json:"size"`
-	IsDir       bool      `json:"is_dir"`
-	Modified    time.Time `json:"modified"`
-	Created     time.Time `json:"created"`
-	Sign        string    `json:"sign"`
-	Thumb       string    `json:"thumb"`
-	Type        int       `json:"type"`
-	HashInfoStr string    `json:"hashinfo"`
-}

internal/model/paths.go

@@ -1,27 +0,0 @@
-package model
-
-import (
-	"database/sql/driver"
-	"encoding/json"
-	"fmt"
-)
-
-type Paths []string
-
-func (p Paths) Value() (driver.Value, error) {
-	return json.Marshal([]string(p))
-}
-
-func (p *Paths) Scan(value interface{}) error {
-	switch v := value.(type) {
-	case []byte:
-		return json.Unmarshal(v, (*[]string)(p))
-	case string:
-		return json.Unmarshal([]byte(v), (*[]string)(p))
-	case nil:
-		*p = nil
-		return nil
-	default:
-		return fmt.Errorf("cannot scan %T", value)
-	}
-}

internal/model/role.go

@@ -1,52 +0,0 @@
-package model
-
-import (
-	"encoding/json"
-
-	"gorm.io/gorm"
-)
-
-// PermissionEntry defines permission bitmask for a specific path.
-type PermissionEntry struct {
-	Path       string `json:"path"`       // path prefix, e.g. "/admin"
-	Permission int32  `json:"permission"` // bitmask permissions
-}
-
-// Role represents a permission template which can be bound to users.
-type Role struct {
-	ID          uint   `json:"id" gorm:"primaryKey"`
-	Name        string `json:"name" gorm:"unique" binding:"required"`
-	Description string `json:"description"`
-	// PermissionScopes stores structured permission list and is ignored by gorm.
-	PermissionScopes []PermissionEntry `json:"permission_scopes" gorm:"-"`
-	// RawPermission is the JSON representation of PermissionScopes stored in DB.
-	RawPermission string `json:"-" gorm:"type:text"`
-}
-
-// BeforeSave GORM hook serializes PermissionScopes into RawPermission.
-func (r *Role) BeforeSave(tx *gorm.DB) error {
-	if len(r.PermissionScopes) == 0 {
-		r.RawPermission = ""
-		return nil
-	}
-	bs, err := json.Marshal(r.PermissionScopes)
-	if err != nil {
-		return err
-	}
-	r.RawPermission = string(bs)
-	return nil
-}
-
-// AfterFind GORM hook deserializes RawPermission into PermissionScopes.
-func (r *Role) AfterFind(tx *gorm.DB) error {
-	if r.RawPermission == "" {
-		r.PermissionScopes = nil
-		return nil
-	}
-	var scopes []PermissionEntry
-	if err := json.Unmarshal([]byte(r.RawPermission), &scopes); err != nil {
-		return err
-	}
-	r.PermissionScopes = scopes
-	return nil
-}

internal/model/roles.go

@@ -1,36 +0,0 @@
-package model
-
-import (
-	"database/sql/driver"
-	"encoding/json"
-	"fmt"
-)
-
-type Roles []int
-
-func (r Roles) Value() (driver.Value, error) {
-	return json.Marshal([]int(r))
-}
-
-func (r *Roles) Scan(value interface{}) error {
-	switch v := value.(type) {
-	case []byte:
-		return json.Unmarshal(v, (*[]int)(r))
-	case string:
-		return json.Unmarshal([]byte(v), (*[]int)(r))
-	case nil:
-		*r = nil
-		return nil
-	default:
-		return fmt.Errorf("cannot scan %T", value)
-	}
-}
-
-func (r Roles) Contains(role int) bool {
-	for _, v := range r {
-		if v == role {
-			return true
-		}
-	}
-	return false
-}

internal/model/user.go

@@ -17,22 +17,20 @@ const (
 	GENERAL = iota
 	GUEST   // only one exists
 	ADMIN
-	NEWGENERAL
 )
 
 const StaticHashSalt = "https://github.com/alist-org/alist"
 
 type User struct {
-	ID          uint   `json:"id" gorm:"primaryKey"`                      // unique key
-	Username    string `json:"username" gorm:"unique" binding:"required"` // username
-	PwdHash     string `json:"-"`                                         // password hash
-	PwdTS       int64  `json:"-"`                                         // password timestamp
-	Salt        string `json:"-"`                                         // unique salt
-	Password    string `json:"password"`                                  // password
-	BasePath    string `json:"base_path"`                                 // base path
-	Role        Roles  `json:"role" gorm:"type:text"`                     // user's roles
-	RolesDetail []Role `json:"-" gorm:"-"`
-	Disabled    bool   `json:"disabled"`
+	ID       uint   `json:"id" gorm:"primaryKey"`                      // unique key
+	Username string `json:"username" gorm:"unique" binding:"required"` // username
+	PwdHash  string `json:"-"`                                         // password hash
+	PwdTS    int64  `json:"-"`                                         // password timestamp
+	Salt     string `json:"-"`                                         // unique salt
+	Password string `json:"password"`                                  // password
+	BasePath string `json:"base_path"`                                 // base path
+	Role     int    `json:"role"`                                      // user's role
+	Disabled bool   `json:"disabled"`
 	// Determine permissions by bit
 	//   0:  can see hidden files
 	//   1:  can access without password
@@ -48,7 +46,6 @@ type User struct {
 	//   11: ftp/sftp write
 	//   12: can read archives
 	//   13: can decompress archives
-	//   14: check path limit
 	Permission int32  `json:"permission"`
 	OtpSecret  string `json:"-"`
 	SsoID      string `json:"sso_id"` // unique by sso platform
@@ -56,11 +53,11 @@ type User struct {
 }
 
 func (u *User) IsGuest() bool {
-	return u.Role.Contains(GUEST)
+	return u.Role == GUEST
 }
 
 func (u *User) IsAdmin() bool {
-	return u.Role.Contains(ADMIN)
+	return u.Role == ADMIN
 }
 
 func (u *User) ValidateRawPassword(password string) error {
@@ -140,19 +137,8 @@ func (u *User) CanDecompress() bool {
 	return (u.Permission>>13)&1 == 1
 }
 
-func (u *User) CheckPathLimit() bool {
-	return (u.Permission>>14)&1 == 1
-}
-
 func (u *User) JoinPath(reqPath string) (string, error) {
-	path, err := utils.JoinBasePath(u.BasePath, reqPath)
-	if err != nil {
-		return "", err
-	}
-	if u.CheckPathLimit() && !utils.IsSubPath(u.BasePath, path) {
-		return "", errs.PermissionDenied
-	}
-	return path, nil
+	return utils.JoinBasePath(u.BasePath, reqPath)
 }
 
 func StaticHash(password string) string {

internal/op/label.go

@@ -1,24 +0,0 @@
-package op
-
-import (
-	"context"
-	"github.com/alist-org/alist/v3/internal/db"
-	"github.com/pkg/errors"
-)
-
-func DeleteLabelById(ctx context.Context, id, userId uint) error {
-	_, err := db.GetLabelById(id)
-	if err != nil {
-		return errors.WithMessage(err, "failed get label")
-	}
-
-	if db.GetLabelFileBinDingByLabelIdExists(id, userId) {
-		return errors.New("label have binding relationships")
-	}
-
-	// delete the label in the database
-	if err := db.DeleteLabelById(id); err != nil {
-		return errors.WithMessage(err, "failed delete label in database")
-	}
-	return nil
-}

internal/op/label_file_binding.go

@@ -1,159 +0,0 @@
-package op
-
-import (
-	"fmt"
-	"github.com/alist-org/alist/v3/internal/db"
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/pkg/errors"
-	"strconv"
-	"strings"
-	"time"
-)
-
-type CreateLabelFileBinDingReq struct {
-	Id          string    `json:"id"`
-	Path        string    `json:"path"`
-	Name        string    `json:"name"`
-	Size        int64     `json:"size"`
-	IsDir       bool      `json:"is_dir"`
-	Modified    time.Time `json:"modified"`
-	Created     time.Time `json:"created"`
-	Sign        string    `json:"sign"`
-	Thumb       string    `json:"thumb"`
-	Type        int       `json:"type"`
-	HashInfoStr string    `json:"hashinfo"`
-	LabelIds    string    `json:"label_ids"`
-}
-
-type ObjLabelResp struct {
-	Id          string        `json:"id"`
-	Path        string        `json:"path"`
-	Name        string        `json:"name"`
-	Size        int64         `json:"size"`
-	IsDir       bool          `json:"is_dir"`
-	Modified    time.Time     `json:"modified"`
-	Created     time.Time     `json:"created"`
-	Sign        string        `json:"sign"`
-	Thumb       string        `json:"thumb"`
-	Type        int           `json:"type"`
-	HashInfoStr string        `json:"hashinfo"`
-	LabelList   []model.Label `json:"label_list"`
-}
-
-func GetLabelByFileName(userId uint, fileName string) ([]model.Label, error) {
-	labelIds, err := db.GetLabelIds(userId, fileName)
-	if err != nil {
-		return nil, errors.WithMessage(err, "failed get label_file_binding")
-	}
-	var labels []model.Label
-	if len(labelIds) > 0 {
-		if labels, err = db.GetLabelByIds(labelIds); err != nil {
-			return nil, errors.WithMessage(err, "failed labels in database")
-		}
-	}
-	return labels, nil
-}
-
-func CreateLabelFileBinDing(req CreateLabelFileBinDingReq, userId uint) error {
-	if err := db.DelLabelFileBinDingByFileName(userId, req.Name); err != nil {
-		return errors.WithMessage(err, "failed del label_file_bin_ding in database")
-	}
-	if req.LabelIds == "" {
-		return nil
-	}
-	labelMap := strings.Split(req.LabelIds, ",")
-	for _, value := range labelMap {
-		labelId, err := strconv.ParseUint(value, 10, 64)
-		if err != nil {
-			return fmt.Errorf("invalid label ID '%s': %v", value, err)
-		}
-		if err = db.CreateLabelFileBinDing(req.Name, uint(labelId), userId); err != nil {
-			return errors.WithMessage(err, "failed labels in database")
-		}
-	}
-	if !db.GetFileByNameExists(req.Name) {
-		objFile := model.ObjFile{
-			Id:          req.Id,
-			UserId:      userId,
-			Path:        req.Path,
-			Name:        req.Name,
-			Size:        req.Size,
-			IsDir:       req.IsDir,
-			Modified:    req.Modified,
-			Created:     req.Created,
-			Sign:        req.Sign,
-			Thumb:       req.Thumb,
-			Type:        req.Type,
-			HashInfoStr: req.HashInfoStr,
-		}
-		err := db.CreateObjFile(objFile)
-		if err != nil {
-			return errors.WithMessage(err, "failed file in database")
-		}
-	}
-	return nil
-}
-
-func GetFileByLabel(userId uint, labelId string) (result []ObjLabelResp, err error) {
-	labelMap := strings.Split(labelId, ",")
-	var labelIds []uint
-	var labelsFile []model.LabelFileBinDing
-	var labels []model.Label
-	var labelsFileMap = make(map[string][]model.Label)
-	var labelsMap = make(map[uint]model.Label)
-	if labelIds, err = StringSliceToUintSlice(labelMap); err != nil {
-		return nil, errors.WithMessage(err, "failed string to uint err")
-	}
-	//查询标签信息
-	if labels, err = db.GetLabelByIds(labelIds); err != nil {
-		return nil, errors.WithMessage(err, "failed labels in database")
-	}
-	for _, val := range labels {
-		labelsMap[val.ID] = val
-	}
-	//查询标签对应文件名列表
-	if labelsFile, err = db.GetLabelFileBinDingByLabelId(labelIds, userId); err != nil {
-		return nil, errors.WithMessage(err, "failed labels in database")
-	}
-	for _, value := range labelsFile {
-		var labelTemp model.Label
-		labelTemp = labelsMap[value.LabelId]
-		labelsFileMap[value.FileName] = append(labelsFileMap[value.FileName], labelTemp)
-	}
-	for index, v := range labelsFileMap {
-		objFile, err := db.GetFileByName(index, userId)
-		if err != nil {
-			return nil, errors.WithMessage(err, "failed GetFileByName in database")
-		}
-		objLabel := ObjLabelResp{
-			Id:          objFile.Id,
-			Path:        objFile.Path,
-			Name:        objFile.Name,
-			Size:        objFile.Size,
-			IsDir:       objFile.IsDir,
-			Modified:    objFile.Modified,
-			Created:     objFile.Created,
-			Sign:        objFile.Sign,
-			Thumb:       objFile.Thumb,
-			Type:        objFile.Type,
-			HashInfoStr: objFile.HashInfoStr,
-			LabelList:   v,
-		}
-		result = append(result, objLabel)
-	}
-	return result, nil
-}
-
-func StringSliceToUintSlice(strSlice []string) ([]uint, error) {
-	uintSlice := make([]uint, len(strSlice))
-	for i, str := range strSlice {
-		// 使用strconv.ParseUint将字符串转换为uint64
-		uint64Value, err := strconv.ParseUint(str, 10, 64)
-		if err != nil {
-			return nil, err // 如果转换失败，返回错误
-		}
-		// 将uint64值转换为uint（注意：这里可能存在精度损失，如果uint64值超出了uint的范围）
-		uintSlice[i] = uint(uint64Value)
-	}
-	return uintSlice, nil
-}

internal/op/role.go

@@ -1,136 +0,0 @@
-package op
-
-import (
-	"fmt"
-	"github.com/pkg/errors"
-	"time"
-
-	"github.com/Xhofe/go-cache"
-	"github.com/alist-org/alist/v3/internal/db"
-	"github.com/alist-org/alist/v3/internal/errs"
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/pkg/singleflight"
-	"github.com/alist-org/alist/v3/pkg/utils"
-)
-
-var roleCache = cache.NewMemCache[*model.Role](cache.WithShards[*model.Role](2))
-var roleG singleflight.Group[*model.Role]
-
-func GetRole(id uint) (*model.Role, error) {
-	key := fmt.Sprint(id)
-	if r, ok := roleCache.Get(key); ok {
-		return r, nil
-	}
-	r, err, _ := roleG.Do(key, func() (*model.Role, error) {
-		_r, err := db.GetRole(id)
-		if err != nil {
-			return nil, err
-		}
-		roleCache.Set(key, _r, cache.WithEx[*model.Role](time.Hour))
-		return _r, nil
-	})
-	return r, err
-}
-
-func GetRoleByName(name string) (*model.Role, error) {
-	if r, ok := roleCache.Get(name); ok {
-		return r, nil
-	}
-	r, err, _ := roleG.Do(name, func() (*model.Role, error) {
-		_r, err := db.GetRoleByName(name)
-		if err != nil {
-			return nil, err
-		}
-		roleCache.Set(name, _r, cache.WithEx[*model.Role](time.Hour))
-		return _r, nil
-	})
-	return r, err
-}
-
-func GetRolesByUserID(userID uint) ([]model.Role, error) {
-	user, err := GetUserById(userID)
-	if err != nil {
-		return nil, err
-	}
-
-	var roles []model.Role
-	for _, roleID := range user.Role {
-		key := fmt.Sprint(roleID)
-
-		if r, ok := roleCache.Get(key); ok {
-			roles = append(roles, *r)
-			continue
-		}
-
-		r, err, _ := roleG.Do(key, func() (*model.Role, error) {
-			_r, err := db.GetRole(uint(roleID))
-			if err != nil {
-				return nil, err
-			}
-			roleCache.Set(key, _r, cache.WithEx[*model.Role](time.Hour))
-			return _r, nil
-		})
-		if err != nil {
-			return nil, err
-		}
-		roles = append(roles, *r)
-	}
-
-	return roles, nil
-}
-
-func GetRoles(pageIndex, pageSize int) ([]model.Role, int64, error) {
-	return db.GetRoles(pageIndex, pageSize)
-}
-
-func CreateRole(r *model.Role) error {
-	for i := range r.PermissionScopes {
-		r.PermissionScopes[i].Path = utils.FixAndCleanPath(r.PermissionScopes[i].Path)
-	}
-	roleCache.Del(fmt.Sprint(r.ID))
-	roleCache.Del(r.Name)
-	return db.CreateRole(r)
-}
-
-func UpdateRole(r *model.Role) error {
-	old, err := db.GetRole(r.ID)
-	if err != nil {
-		return err
-	}
-	if old.Name == "admin" || old.Name == "guest" {
-		return errs.ErrChangeDefaultRole
-	}
-	for i := range r.PermissionScopes {
-		r.PermissionScopes[i].Path = utils.FixAndCleanPath(r.PermissionScopes[i].Path)
-	}
-	if len(old.PermissionScopes) > 0 && len(r.PermissionScopes) > 0 &&
-		old.PermissionScopes[0].Path != r.PermissionScopes[0].Path {
-
-		oldPath := old.PermissionScopes[0].Path
-		newPath := r.PermissionScopes[0].Path
-		modifiedUsernames, err := db.UpdateUserBasePathPrefix(oldPath, newPath)
-		if err != nil {
-			return errors.WithMessage(err, "failed to update user base path when role updated")
-		}
-
-		for _, name := range modifiedUsernames {
-			userCache.Del(name)
-		}
-	}
-	roleCache.Del(fmt.Sprint(r.ID))
-	roleCache.Del(r.Name)
-	return db.UpdateRole(r)
-}
-
-func DeleteRole(id uint) error {
-	old, err := db.GetRole(id)
-	if err != nil {
-		return err
-	}
-	if old.Name == "admin" || old.Name == "guest" {
-		return errs.ErrChangeDefaultRole
-	}
-	roleCache.Del(fmt.Sprint(id))
-	roleCache.Del(old.Name)
-	return db.DeleteRole(id)
-}

internal/op/storage.go

@@ -46,11 +46,6 @@ func GetStorageByMountPath(mountPath string) (driver.Driver, error) {
 func CreateStorage(ctx context.Context, storage model.Storage) (uint, error) {
 	storage.Modified = time.Now()
 	storage.MountPath = utils.FixAndCleanPath(storage.MountPath)
-
-	if storage.MountPath == "/" {
-		return 0, errors.New("Mount path cannot be '/'")
-	}
-
 	var err error
 	// check driver first
 	driverName := storage.Driver
@@ -210,9 +205,6 @@ func UpdateStorage(ctx context.Context, storage model.Storage) error {
 	}
 	storage.Modified = time.Now()
 	storage.MountPath = utils.FixAndCleanPath(storage.MountPath)
-	if storage.MountPath == "/" {
-		return errors.New("Mount path cannot be '/'")
-	}
 	err = db.UpdateStorage(&storage)
 	if err != nil {
 		return errors.WithMessage(err, "failed update storage in database")
@@ -224,21 +216,6 @@ func UpdateStorage(ctx context.Context, storage model.Storage) error {
 	if oldStorage.MountPath != storage.MountPath {
 		// mount path renamed, need to drop the storage
 		storagesMap.Delete(oldStorage.MountPath)
-		modifiedRoleIDs, err := db.UpdateRolePermissionsPathPrefix(oldStorage.MountPath, storage.MountPath)
-		if err != nil {
-			return errors.WithMessage(err, "failed to update role permissions")
-		}
-		for _, id := range modifiedRoleIDs {
-			roleCache.Del(fmt.Sprint(id))
-		}
-
-		modifiedUsernames, err := db.UpdateUserBasePathPrefix(oldStorage.MountPath, storage.MountPath)
-		if err != nil {
-			return errors.WithMessage(err, "failed to update user base path")
-		}
-		for _, name := range modifiedUsernames {
-			userCache.Del(name)
-		}
 	}
 	if err != nil {
 		return errors.WithMessage(err, "failed get storage driver")

internal/op/user.go

@@ -18,11 +18,7 @@ var adminUser *model.User
 
 func GetAdmin() (*model.User, error) {
 	if adminUser == nil {
-		role, err := GetRoleByName("admin")
-		if err != nil {
-			return nil, err
-		}
-		user, err := db.GetUserByRole(int(role.ID))
+		user, err := db.GetUserByRole(model.ADMIN)
 		if err != nil {
 			return nil, err
 		}
@@ -33,11 +29,7 @@ func GetAdmin() (*model.User, error) {
 
 func GetGuest() (*model.User, error) {
 	if guestUser == nil {
-		role, err := GetRoleByName("guest")
-		if err != nil {
-			return nil, err
-		}
-		user, err := db.GetUserByRole(int(role.ID))
+		user, err := db.GetUserByRole(model.GUEST)
 		if err != nil {
 			return nil, err
 		}
@@ -78,25 +70,7 @@ func GetUsers(pageIndex, pageSize int) (users []model.User, count int64, err err
 
 func CreateUser(u *model.User) error {
 	u.BasePath = utils.FixAndCleanPath(u.BasePath)
-
-	err := db.CreateUser(u)
-	if err != nil {
-		return err
-	}
-
-	roles, err := GetRolesByUserID(u.ID)
-	if err == nil {
-		for _, role := range roles {
-			if len(role.PermissionScopes) > 0 {
-				u.BasePath = utils.FixAndCleanPath(role.PermissionScopes[0].Path)
-				break
-			}
-		}
-		_ = db.UpdateUser(u)
-		userCache.Del(u.Username)
-	}
-
-	return nil
+	return db.CreateUser(u)
 }
 
 func DeleteUserById(id uint) error {
@@ -124,17 +98,6 @@ func UpdateUser(u *model.User) error {
 	}
 	userCache.Del(old.Username)
 	u.BasePath = utils.FixAndCleanPath(u.BasePath)
-	if len(u.Role) > 0 {
-		roles, err := GetRolesByUserID(u.ID)
-		if err == nil {
-			for _, role := range roles {
-				if len(role.PermissionScopes) > 0 {
-					u.BasePath = utils.FixAndCleanPath(role.PermissionScopes[0].Path)
-					break
-				}
-			}
-		}
-	}
 	return db.UpdateUser(u)
 }
 

server/common/check.go

@@ -1,11 +1,15 @@
 package common
 
 import (
+	"path"
+	"strings"
+
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/dlclark/regexp2"
 )
 
 func IsStorageSignEnabled(rawPath string) bool {
@@ -28,11 +32,30 @@ func IsApply(metaPath, reqPath string, applySub bool) bool {
 }
 
 func CanAccess(user *model.User, meta *model.Meta, reqPath string, password string) bool {
-	// Deprecated: CanAccess is kept for backward compatibility.
-	// The logic has been moved to CanAccessWithRoles which performs the
-	// necessary checks based on role permissions. This wrapper ensures
-	// older calls still work without relying on user permission bits.
-	return CanAccessWithRoles(user, meta, reqPath, password)
+	// if the reqPath is in hide (only can check the nearest meta) and user can't see hides, can't access
+	if meta != nil && !user.CanSeeHides() && meta.Hide != "" &&
+		IsApply(meta.Path, path.Dir(reqPath), meta.HSub) { // the meta should apply to the parent of current path
+		for _, hide := range strings.Split(meta.Hide, "\n") {
+			re := regexp2.MustCompile(hide, regexp2.None)
+			if isMatch, _ := re.MatchString(path.Base(reqPath)); isMatch {
+				return false
+			}
+		}
+	}
+	// if is not guest and can access without password
+	if user.CanAccessWithoutPassword() {
+		return true
+	}
+	// if meta is nil or password is empty, can access
+	if meta == nil || meta.Password == "" {
+		return true
+	}
+	// if meta doesn't apply to sub_folder, can access
+	if !utils.PathEqual(meta.Path, reqPath) && !meta.PSub {
+		return true
+	}
+	// validate password
+	return meta.Password == password
 }
 
 // ShouldProxy TODO need optimize

server/common/role_perm.go

@@ -1,108 +0,0 @@
-package common
-
-import (
-	"path"
-	"strings"
-
-	"github.com/dlclark/regexp2"
-
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/pkg/utils"
-)
-
-const (
-	PermSeeHides = iota
-	PermAccessWithoutPassword
-	PermAddOfflineDownload
-	PermWrite
-	PermRename
-	PermMove
-	PermCopy
-	PermRemove
-	PermWebdavRead
-	PermWebdavManage
-	PermFTPAccess
-	PermFTPManage
-	PermReadArchives
-	PermDecompress
-	PermPathLimit
-)
-
-func HasPermission(perm int32, bit uint) bool {
-	return (perm>>bit)&1 == 1
-}
-
-func MergeRolePermissions(u *model.User, reqPath string) int32 {
-	if u == nil {
-		return 0
-	}
-	var perm int32
-	for _, rid := range u.Role {
-		role, err := op.GetRole(uint(rid))
-		if err != nil {
-			continue
-		}
-		for _, entry := range role.PermissionScopes {
-			if utils.IsSubPath(entry.Path, reqPath) {
-				perm |= entry.Permission
-			}
-		}
-	}
-	return perm
-}
-
-func CanAccessWithRoles(u *model.User, meta *model.Meta, reqPath, password string) bool {
-	if !canReadPathByRole(u, reqPath) {
-		return false
-	}
-	perm := MergeRolePermissions(u, reqPath)
-	if meta != nil && !HasPermission(perm, PermSeeHides) && meta.Hide != "" &&
-		IsApply(meta.Path, path.Dir(reqPath), meta.HSub) {
-		for _, hide := range strings.Split(meta.Hide, "\n") {
-			re := regexp2.MustCompile(hide, regexp2.None)
-			if isMatch, _ := re.MatchString(path.Base(reqPath)); isMatch {
-				return false
-			}
-		}
-	}
-	if HasPermission(perm, PermAccessWithoutPassword) {
-		return true
-	}
-	if meta == nil || meta.Password == "" {
-		return true
-	}
-	if !utils.PathEqual(meta.Path, reqPath) && !meta.PSub {
-		return true
-	}
-	return meta.Password == password
-}
-
-func canReadPathByRole(u *model.User, reqPath string) bool {
-	if u == nil {
-		return false
-	}
-	for _, rid := range u.Role {
-		role, err := op.GetRole(uint(rid))
-		if err != nil {
-			continue
-		}
-		for _, entry := range role.PermissionScopes {
-			if utils.IsSubPath(entry.Path, reqPath) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// CheckPathLimitWithRoles checks whether the path is allowed when the user has
-// the `PermPathLimit` permission for the target path. When the user does not
-// have this permission, the check passes by default.
-func CheckPathLimitWithRoles(u *model.User, reqPath string) bool {
-	perm := MergeRolePermissions(u, reqPath)
-	if HasPermission(perm, PermPathLimit) {
-		return canReadPathByRole(u, reqPath)
-	}
-	return true
-}

server/ftp.go

@@ -11,7 +11,6 @@ import (
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/internal/setting"
 	"github.com/alist-org/alist/v3/pkg/utils"
-	"github.com/alist-org/alist/v3/server/common"
 	"github.com/alist-org/alist/v3/server/ftp"
 	"math/rand"
 	"net"
@@ -131,8 +130,7 @@ func (d *FtpMainDriver) AuthUser(cc ftpserver.ClientContext, user, pass string)
 			return nil, err
 		}
 	}
-	perm := common.MergeRolePermissions(userObj, userObj.BasePath)
-	if userObj.Disabled || !common.HasPermission(perm, common.PermFTPAccess) {
+	if userObj.Disabled || !userObj.CanFTPAccess() {
 		return nil, errors.New("user is not allowed to access via FTP")
 	}
 

server/ftp/fsmanage.go

@@ -18,8 +18,7 @@ func Mkdir(ctx context.Context, path string) error {
 	if err != nil {
 		return err
 	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermWrite) || !common.HasPermission(perm, common.PermFTPManage) {
+	if !user.CanWrite() || !user.CanFTPManage() {
 		meta, err := op.GetNearestMeta(stdpath.Dir(reqPath))
 		if err != nil {
 			if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
@@ -35,8 +34,7 @@ func Mkdir(ctx context.Context, path string) error {
 
 func Remove(ctx context.Context, path string) error {
 	user := ctx.Value("user").(*model.User)
-	perm := common.MergeRolePermissions(user, path)
-	if !common.HasPermission(perm, common.PermRemove) || !common.HasPermission(perm, common.PermFTPManage) {
+	if !user.CanRemove() || !user.CanFTPManage() {
 		return errs.PermissionDenied
 	}
 	reqPath, err := user.JoinPath(path)
@@ -58,14 +56,13 @@ func Rename(ctx context.Context, oldPath, newPath string) error {
 	}
 	srcDir, srcBase := stdpath.Split(srcPath)
 	dstDir, dstBase := stdpath.Split(dstPath)
-	permSrc := common.MergeRolePermissions(user, srcPath)
 	if srcDir == dstDir {
-		if !common.HasPermission(permSrc, common.PermRename) || !common.HasPermission(permSrc, common.PermFTPManage) {
+		if !user.CanRename() || !user.CanFTPManage() {
 			return errs.PermissionDenied
 		}
 		return fs.Rename(ctx, srcPath, dstBase)
 	} else {
-		if !common.HasPermission(permSrc, common.PermFTPManage) || !common.HasPermission(permSrc, common.PermMove) || (srcBase != dstBase && !common.HasPermission(permSrc, common.PermRename)) {
+		if !user.CanFTPManage() || !user.CanMove() || (srcBase != dstBase && !user.CanRename()) {
 			return errs.PermissionDenied
 		}
 		if err = fs.Move(ctx, srcPath, dstDir); err != nil {

server/ftp/fsread.go

@@ -30,7 +30,7 @@ func OpenDownload(ctx context.Context, reqPath string, offset int64) (*FileDownl
 		}
 	}
 	ctx = context.WithValue(ctx, "meta", meta)
-	if !common.CanAccessWithRoles(user, meta, reqPath, ctx.Value("meta_pass").(string)) {
+	if !common.CanAccess(user, meta, reqPath, ctx.Value("meta_pass").(string)) {
 		return nil, errs.PermissionDenied
 	}
 
@@ -125,7 +125,7 @@ func Stat(ctx context.Context, path string) (os.FileInfo, error) {
 		}
 	}
 	ctx = context.WithValue(ctx, "meta", meta)
-	if !common.CanAccessWithRoles(user, meta, reqPath, ctx.Value("meta_pass").(string)) {
+	if !common.CanAccess(user, meta, reqPath, ctx.Value("meta_pass").(string)) {
 		return nil, errs.PermissionDenied
 	}
 	obj, err := fs.Get(ctx, reqPath, &fs.GetArgs{})
@@ -148,7 +148,7 @@ func List(ctx context.Context, path string) ([]os.FileInfo, error) {
 		}
 	}
 	ctx = context.WithValue(ctx, "meta", meta)
-	if !common.CanAccessWithRoles(user, meta, reqPath, ctx.Value("meta_pass").(string)) {
+	if !common.CanAccess(user, meta, reqPath, ctx.Value("meta_pass").(string)) {
 		return nil, errs.PermissionDenied
 	}
 	objs, err := fs.List(ctx, reqPath, &fs.ListArgs{})

server/ftp/fsup.go

@@ -35,10 +35,8 @@ func uploadAuth(ctx context.Context, path string) error {
 			return err
 		}
 	}
-	perm := common.MergeRolePermissions(user, path)
-	if !(common.CanAccessWithRoles(user, meta, path, ctx.Value("meta_pass").(string)) &&
-		((common.HasPermission(perm, common.PermFTPManage) && common.HasPermission(perm, common.PermWrite)) ||
-			common.CanWrite(meta, stdpath.Dir(path)))) {
+	if !(common.CanAccess(user, meta, path, ctx.Value("meta_pass").(string)) &&
+		((user.CanFTPManage() && user.CanWrite()) || common.CanWrite(meta, stdpath.Dir(path)))) {
 		return errs.PermissionDenied
 	}
 	return nil

server/handles/archive.go

@@ -78,20 +78,15 @@ func FsArchiveMeta(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanReadArchives() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	reqPath, err := user.JoinPath(req.Path)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, reqPath) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermReadArchives) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	meta, err := op.GetNearestMeta(reqPath)
 	if err != nil {
 		if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
@@ -161,20 +156,15 @@ func FsArchiveList(c *gin.Context) {
 	}
 	req.Validate()
 	user := c.MustGet("user").(*model.User)
+	if !user.CanReadArchives() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	reqPath, err := user.JoinPath(req.Path)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, reqPath) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermReadArchives) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	meta, err := op.GetNearestMeta(reqPath)
 	if err != nil {
 		if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
@@ -252,6 +242,10 @@ func FsArchiveDecompress(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanDecompress() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	srcPaths := make([]string, 0, len(req.Name))
 	for _, name := range req.Name {
 		srcPath, err := user.JoinPath(stdpath.Join(req.SrcDir, name))
@@ -259,10 +253,6 @@ func FsArchiveDecompress(c *gin.Context) {
 			common.ErrorResp(c, err, 403)
 			return
 		}
-		if !common.CheckPathLimitWithRoles(user, srcPath) {
-			common.ErrorResp(c, errs.PermissionDenied, 403)
-			return
-		}
 		srcPaths = append(srcPaths, srcPath)
 	}
 	dstDir, err := user.JoinPath(req.DstDir)
@@ -270,17 +260,8 @@ func FsArchiveDecompress(c *gin.Context) {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, dstDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	tasks := make([]task.TaskExtensionInfo, 0, len(srcPaths))
 	for _, srcPath := range srcPaths {
-		perm := common.MergeRolePermissions(user, srcPath)
-		if !common.HasPermission(perm, common.PermDecompress) {
-			common.ErrorResp(c, errs.PermissionDenied, 403)
-			return
-		}
 		t, e := fs.ArchiveDecompress(c, srcPath, dstDir, model.ArchiveDecompressArgs{
 			ArchiveInnerArgs: model.ArchiveInnerArgs{
 				ArchiveArgs: model.ArchiveArgs{

server/handles/auth.go

@@ -4,8 +4,6 @@ import (
 	"bytes"
 	"encoding/base64"
 	"image/png"
-	"path"
-	"strings"
 	"time"
 
 	"github.com/Xhofe/go-cache"
@@ -91,16 +89,13 @@ func loginHash(c *gin.Context, req *LoginReq) {
 
 type UserResp struct {
 	model.User
-	Otp         bool                    `json:"otp"`
-	RoleNames   []string                `json:"role_names"`
-	Permissions []model.PermissionEntry `json:"permissions"`
+	Otp bool `json:"otp"`
 }
 
 // CurrentUser get current user by token
 // if token is empty, return guest user
 func CurrentUser(c *gin.Context) {
 	user := c.MustGet("user").(*model.User)
-
 	userResp := UserResp{
 		User: *user,
 	}
@@ -108,30 +103,6 @@ func CurrentUser(c *gin.Context) {
 	if userResp.OtpSecret != "" {
 		userResp.Otp = true
 	}
-
-	var roleNames []string
-	permMap := map[string]int32{}
-	addedPaths := map[string]bool{}
-
-	for _, role := range user.RolesDetail {
-		roleNames = append(roleNames, role.Name)
-		for _, entry := range role.PermissionScopes {
-			cleanPath := path.Clean("/" + strings.TrimPrefix(entry.Path, "/"))
-			permMap[cleanPath] |= entry.Permission
-		}
-	}
-	userResp.RoleNames = roleNames
-
-	for fullPath, perm := range permMap {
-		if !addedPaths[fullPath] {
-			userResp.Permissions = append(userResp.Permissions, model.PermissionEntry{
-				Path:       fullPath,
-				Permission: perm,
-			})
-			addedPaths[fullPath] = true
-		}
-	}
-
 	common.SuccessResp(c, userResp)
 }
 

server/handles/fsbatch.go

@@ -29,29 +29,20 @@ func FsRecursiveMove(c *gin.Context) {
 	}
 
 	user := c.MustGet("user").(*model.User)
+	if !user.CanMove() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	srcDir, err := user.JoinPath(req.SrcDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, srcDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	dstDir, err := user.JoinPath(req.DstDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, dstDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, srcDir)
-	if !common.HasPermission(perm, common.PermMove) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 
 	meta, err := op.GetNearestMeta(srcDir)
 	if err != nil {
@@ -158,20 +149,16 @@ func FsBatchRename(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanRename() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
+
 	reqPath, err := user.JoinPath(req.SrcDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, reqPath) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermRename) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 
 	meta, err := op.GetNearestMeta(reqPath)
 	if err != nil {
@@ -207,19 +194,14 @@ func FsRegexRename(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
-	reqPath, err := user.JoinPath(req.SrcDir)
-	if err != nil {
-		common.ErrorResp(c, err, 403)
-		return
-	}
-	if !common.CheckPathLimitWithRoles(user, reqPath) {
+	if !user.CanRename() {
 		common.ErrorResp(c, errs.PermissionDenied, 403)
 		return
 	}
 
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermRename) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
+	reqPath, err := user.JoinPath(req.SrcDir)
+	if err != nil {
+		common.ErrorResp(c, err, 403)
 		return
 	}
 

server/handles/fsmanage.go

@@ -35,12 +35,7 @@ func FsMkdir(c *gin.Context) {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, reqPath) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermWrite) {
+	if !user.CanWrite() {
 		meta, err := op.GetNearestMeta(stdpath.Dir(reqPath))
 		if err != nil {
 			if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
@@ -78,29 +73,20 @@ func FsMove(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanMove() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	srcDir, err := user.JoinPath(req.SrcDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, srcDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	dstDir, err := user.JoinPath(req.DstDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, dstDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	permMove := common.MergeRolePermissions(user, srcDir)
-	if !common.HasPermission(permMove, common.PermMove) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	if !req.Overwrite {
 		for _, name := range req.Names {
 			if res, _ := fs.Get(c, stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {
@@ -130,29 +116,20 @@ func FsCopy(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanCopy() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	srcDir, err := user.JoinPath(req.SrcDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, srcDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	dstDir, err := user.JoinPath(req.DstDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, dstDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, srcDir)
-	if !common.HasPermission(perm, common.PermCopy) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	if !req.Overwrite {
 		for _, name := range req.Names {
 			if res, _ := fs.Get(c, stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {
@@ -190,20 +167,15 @@ func FsRename(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanRename() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	reqPath, err := user.JoinPath(req.Path)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, reqPath) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermRename) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	if !req.Overwrite {
 		dstPath := stdpath.Join(stdpath.Dir(reqPath), req.Name)
 		if dstPath != reqPath {
@@ -236,20 +208,15 @@ func FsRemove(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanRemove() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	reqDir, err := user.JoinPath(req.Dir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, reqDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqDir)
-	if !common.HasPermission(perm, common.PermRemove) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 	for _, name := range req.Names {
 		err := fs.Remove(c, stdpath.Join(reqDir, name))
 		if err != nil {
@@ -273,20 +240,15 @@ func FsRemoveEmptyDirectory(c *gin.Context) {
 	}
 
 	user := c.MustGet("user").(*model.User)
+	if !user.CanRemove() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	srcDir, err := user.JoinPath(req.SrcDir)
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, srcDir) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, srcDir)
-	if !common.HasPermission(perm, common.PermRemove) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
 
 	meta, err := op.GetNearestMeta(srcDir)
 	if err != nil {

server/handles/fsread.go

@@ -48,28 +48,12 @@ type ObjResp struct {
 }
 
 type FsListResp struct {
-	Content  []ObjLabelResp `json:"content"`
-	Total    int64          `json:"total"`
-	Readme   string         `json:"readme"`
-	Header   string         `json:"header"`
-	Write    bool           `json:"write"`
-	Provider string         `json:"provider"`
-}
-
-type ObjLabelResp struct {
-	Id          string                     `json:"id"`
-	Path        string                     `json:"path"`
-	Name        string                     `json:"name"`
-	Size        int64                      `json:"size"`
-	IsDir       bool                       `json:"is_dir"`
-	Modified    time.Time                  `json:"modified"`
-	Created     time.Time                  `json:"created"`
-	Sign        string                     `json:"sign"`
-	Thumb       string                     `json:"thumb"`
-	Type        int                        `json:"type"`
-	HashInfoStr string                     `json:"hashinfo"`
-	HashInfo    map[*utils.HashType]string `json:"hash_info"`
-	LabelList   []model.Label              `json:"label_list"`
+	Content  []ObjResp `json:"content"`
+	Total    int64     `json:"total"`
+	Readme   string    `json:"readme"`
+	Header   string    `json:"header"`
+	Write    bool      `json:"write"`
+	Provider string    `json:"provider"`
 }
 
 func FsList(c *gin.Context) {
@@ -93,12 +77,11 @@ func FsList(c *gin.Context) {
 		}
 	}
 	c.Set("meta", meta)
-	if !common.CanAccessWithRoles(user, meta, reqPath, req.Password) {
+	if !common.CanAccess(user, meta, reqPath, req.Password) {
 		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermWrite) && !common.CanWrite(meta, reqPath) && req.Refresh {
+	if !user.CanWrite() && !common.CanWrite(meta, reqPath) && req.Refresh {
 		common.ErrorStrResp(c, "Refresh without permission", 403)
 		return
 	}
@@ -114,11 +97,11 @@ func FsList(c *gin.Context) {
 		provider = storage.GetStorage().Driver
 	}
 	common.SuccessResp(c, FsListResp{
-		Content:  toObjsResp(objs, reqPath, isEncrypt(meta, reqPath), user.ID),
+		Content:  toObjsResp(objs, reqPath, isEncrypt(meta, reqPath)),
 		Total:    int64(total),
 		Readme:   getReadme(meta, reqPath),
 		Header:   getHeader(meta, reqPath),
-		Write:    common.HasPermission(perm, common.PermWrite) || common.CanWrite(meta, reqPath),
+		Write:    user.CanWrite() || common.CanWrite(meta, reqPath),
 		Provider: provider,
 	})
 }
@@ -152,7 +135,7 @@ func FsDirs(c *gin.Context) {
 		}
 	}
 	c.Set("meta", meta)
-	if !common.CanAccessWithRoles(user, meta, reqPath, req.Password) {
+	if !common.CanAccess(user, meta, reqPath, req.Password) {
 		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}
@@ -224,15 +207,11 @@ func pagination(objs []model.Obj, req *model.PageReq) (int, []model.Obj) {
 	return total, objs[start:end]
 }
 
-func toObjsResp(objs []model.Obj, parent string, encrypt bool, userId uint) []ObjLabelResp {
-	var resp []ObjLabelResp
+func toObjsResp(objs []model.Obj, parent string, encrypt bool) []ObjResp {
+	var resp []ObjResp
 	for _, obj := range objs {
-		var labels []model.Label
-		if obj.IsDir() == false {
-			labels, _ = op.GetLabelByFileName(userId, obj.GetName())
-		}
 		thumb, _ := model.GetThumb(obj)
-		resp = append(resp, ObjLabelResp{
+		resp = append(resp, ObjResp{
 			Id:          obj.GetID(),
 			Path:        obj.GetPath(),
 			Name:        obj.GetName(),
@@ -245,7 +224,6 @@ func toObjsResp(objs []model.Obj, parent string, encrypt bool, userId uint) []Ob
 			Sign:        common.Sign(obj, parent, encrypt),
 			Thumb:       thumb,
 			Type:        utils.GetObjType(obj.GetName(), obj.IsDir()),
-			LabelList:   labels,
 		})
 	}
 	return resp
@@ -258,11 +236,11 @@ type FsGetReq struct {
 
 type FsGetResp struct {
 	ObjResp
-	RawURL   string         `json:"raw_url"`
-	Readme   string         `json:"readme"`
-	Header   string         `json:"header"`
-	Provider string         `json:"provider"`
-	Related  []ObjLabelResp `json:"related"`
+	RawURL   string    `json:"raw_url"`
+	Readme   string    `json:"readme"`
+	Header   string    `json:"header"`
+	Provider string    `json:"provider"`
+	Related  []ObjResp `json:"related"`
 }
 
 func FsGet(c *gin.Context) {
@@ -285,7 +263,7 @@ func FsGet(c *gin.Context) {
 		}
 	}
 	c.Set("meta", meta)
-	if !common.CanAccessWithRoles(user, meta, reqPath, req.Password) {
+	if !common.CanAccess(user, meta, reqPath, req.Password) {
 		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}
@@ -369,7 +347,7 @@ func FsGet(c *gin.Context) {
 		Readme:   getReadme(meta, reqPath),
 		Header:   getHeader(meta, reqPath),
 		Provider: provider,
-		Related:  toObjsResp(related, parentPath, isEncrypt(parentMeta, parentPath), user.ID),
+		Related:  toObjsResp(related, parentPath, isEncrypt(parentMeta, parentPath)),
 	})
 }
 
@@ -413,7 +391,7 @@ func FsOther(c *gin.Context) {
 		}
 	}
 	c.Set("meta", meta)
-	if !common.CanAccessWithRoles(user, meta, req.Path, req.Password) {
+	if !common.CanAccess(user, meta, req.Path, req.Password) {
 		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}

server/handles/label.go

@@ -1,99 +0,0 @@
-package handles
-
-import (
-	"errors"
-	"github.com/alist-org/alist/v3/internal/db"
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/server/common"
-	"github.com/gin-gonic/gin"
-	log "github.com/sirupsen/logrus"
-	"strconv"
-)
-
-func ListLabel(c *gin.Context) {
-	var req model.PageReq
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	req.Validate()
-	log.Debugf("%+v", req)
-	labels, total, err := db.GetLabels(req.Page, req.PerPage)
-	if err != nil {
-		common.ErrorResp(c, err, 500)
-		return
-	}
-	common.SuccessResp(c, common.PageResp{
-		Content: labels,
-		Total:   total,
-	})
-}
-
-func GetLabel(c *gin.Context) {
-	idStr := c.Query("id")
-	id, err := strconv.Atoi(idStr)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	label, err := db.GetLabelById(uint(id))
-	if err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c, label)
-}
-
-func CreateLabel(c *gin.Context) {
-	var req model.Label
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if db.GetLabelByName(req.Name) {
-		common.ErrorResp(c, errors.New("label name is exists"), 401)
-		return
-	}
-	if id, err := db.CreateLabel(req); err != nil {
-		common.ErrorWithDataResp(c, err, 500, gin.H{
-			"id": id,
-		}, true)
-	} else {
-		common.SuccessResp(c, gin.H{
-			"id": id,
-		})
-	}
-}
-
-func UpdateLabel(c *gin.Context) {
-	var req model.Label
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if label, err := db.UpdateLabel(&req); err != nil {
-		common.ErrorResp(c, err, 500, true)
-	} else {
-		common.SuccessResp(c, label)
-	}
-}
-
-func DeleteLabel(c *gin.Context) {
-	idStr := c.Query("id")
-	id, err := strconv.Atoi(idStr)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	userObj, ok := c.Value("user").(*model.User)
-	if !ok {
-		common.ErrorStrResp(c, "user invalid", 401)
-		return
-	}
-	if err = op.DeleteLabelById(c, uint(id), userObj.ID); err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c)
-}

server/handles/label_file_binding.go

@@ -1,103 +0,0 @@
-package handles
-
-import (
-	"errors"
-	"fmt"
-	"github.com/alist-org/alist/v3/internal/db"
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/server/common"
-	"github.com/gin-gonic/gin"
-	"strconv"
-)
-
-type DelLabelFileBinDingReq struct {
-	FileName string `json:"file_name"`
-	LabelId  string `json:"label_id"`
-}
-
-func GetLabelByFileName(c *gin.Context) {
-	fileName := c.Query("file_name")
-	if fileName == "" {
-		common.ErrorResp(c, errors.New("file_name must not empty"), 400)
-		return
-	}
-	userObj, ok := c.Value("user").(*model.User)
-	if !ok {
-		common.ErrorStrResp(c, "user invalid", 401)
-		return
-	}
-	labels, err := op.GetLabelByFileName(userObj.ID, fileName)
-	if err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c, labels)
-}
-
-func CreateLabelFileBinDing(c *gin.Context) {
-	var req op.CreateLabelFileBinDingReq
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if req.IsDir == true {
-		common.ErrorStrResp(c, "Unable to bind folder", 400)
-		return
-	}
-	userObj, ok := c.Value("user").(*model.User)
-	if !ok {
-		common.ErrorStrResp(c, "user invalid", 401)
-		return
-	}
-	if err := op.CreateLabelFileBinDing(req, userObj.ID); err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	} else {
-		common.SuccessResp(c, gin.H{
-			"msg": "添加成功！",
-		})
-	}
-}
-
-func DelLabelByFileName(c *gin.Context) {
-	var req DelLabelFileBinDingReq
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	userObj, ok := c.Value("user").(*model.User)
-	if !ok {
-		common.ErrorStrResp(c, "user invalid", 401)
-		return
-	}
-	labelId, err := strconv.ParseUint(req.LabelId, 10, 64)
-	if err != nil {
-		common.ErrorResp(c, fmt.Errorf("invalid label ID '%s': %v", req.LabelId, err), 500, true)
-		return
-	}
-	if err = db.DelLabelFileBinDingById(uint(labelId), userObj.ID, req.FileName); err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c)
-}
-
-func GetFileByLabel(c *gin.Context) {
-	labelId := c.Query("label_id")
-	if labelId == "" {
-		common.ErrorResp(c, errors.New("file_name must not empty"), 400)
-		return
-	}
-	userObj, ok := c.Value("user").(*model.User)
-	if !ok {
-		common.ErrorStrResp(c, "user invalid", 401)
-		return
-	}
-	fileList, err := op.GetFileByLabel(userObj.ID, labelId)
-	if err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c, fileList)
-}

server/handles/ldap_login.go

@@ -131,7 +131,7 @@ func ladpRegister(username string) (*model.User, error) {
 		Password:   random.String(16),
 		Permission: int32(setting.GetInt(conf.LdapDefaultPermission, 0)),
 		BasePath:   setting.GetStr(conf.LdapDefaultDir),
-		Role:       nil,
+		Role:       0,
 		Disabled:   false,
 	}
 	if err := db.CreateUser(user); err != nil {

server/handles/offline_download.go

@@ -5,7 +5,6 @@ import (
 	"github.com/alist-org/alist/v3/drivers/pikpak"
 	"github.com/alist-org/alist/v3/drivers/thunder"
 	"github.com/alist-org/alist/v3/internal/conf"
-	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/offline_download/tool"
 	"github.com/alist-org/alist/v3/internal/op"
@@ -254,6 +253,10 @@ type AddOfflineDownloadReq struct {
 
 func AddOfflineDownload(c *gin.Context) {
 	user := c.MustGet("user").(*model.User)
+	if !user.CanAddOfflineDownloadTasks() {
+		common.ErrorStrResp(c, "permission denied", 403)
+		return
+	}
 
 	var req AddOfflineDownloadReq
 	if err := c.ShouldBind(&req); err != nil {
@@ -265,15 +268,6 @@ func AddOfflineDownload(c *gin.Context) {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	if !common.CheckPathLimitWithRoles(user, reqPath) {
-		common.ErrorResp(c, errs.PermissionDenied, 403)
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if !common.HasPermission(perm, common.PermAddOfflineDownload) {
-		common.ErrorStrResp(c, "permission denied", 403)
-		return
-	}
 	var tasks []task.TaskExtensionInfo
 	for _, url := range req.Urls {
 		t, err := tool.AddURL(c, &tool.AddURLArgs{

server/handles/role.go

@@ -1,101 +0,0 @@
-package handles
-
-import (
-	"strconv"
-
-	"github.com/alist-org/alist/v3/internal/errs"
-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/server/common"
-	"github.com/gin-gonic/gin"
-	log "github.com/sirupsen/logrus"
-)
-
-func ListRoles(c *gin.Context) {
-	var req model.PageReq
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	req.Validate()
-	log.Debugf("%+v", req)
-	roles, total, err := op.GetRoles(req.Page, req.PerPage)
-	if err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c, common.PageResp{Content: roles, Total: total})
-}
-
-func GetRole(c *gin.Context) {
-	idStr := c.Query("id")
-	id, err := strconv.Atoi(idStr)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	role, err := op.GetRole(uint(id))
-	if err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c, role)
-}
-
-func CreateRole(c *gin.Context) {
-	var req model.Role
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if err := op.CreateRole(&req); err != nil {
-		common.ErrorResp(c, err, 500, true)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func UpdateRole(c *gin.Context) {
-	var req model.Role
-	if err := c.ShouldBind(&req); err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	role, err := op.GetRole(req.ID)
-	if err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	if role.Name == "admin" || role.Name == "guest" {
-		common.ErrorResp(c, errs.ErrChangeDefaultRole, 403)
-		return
-	}
-	if err := op.UpdateRole(&req); err != nil {
-		common.ErrorResp(c, err, 500, true)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func DeleteRole(c *gin.Context) {
-	idStr := c.Query("id")
-	id, err := strconv.Atoi(idStr)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	role, err := op.GetRole(uint(id))
-	if err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	if role.Name == "admin" || role.Name == "guest" {
-		common.ErrorResp(c, errs.ErrChangeDefaultRole, 403)
-		return
-	}
-	if err := op.DeleteRole(uint(id)); err != nil {
-		common.ErrorResp(c, err, 500, true)
-		return
-	}
-	common.SuccessResp(c)
-}

server/handles/search.go

@@ -57,7 +57,7 @@ func Search(c *gin.Context) {
 		if err != nil && !errors.Is(errors.Cause(err), errs.MetaNotFound) {
 			continue
 		}
-		if !common.CanAccessWithRoles(user, meta, path.Join(node.Parent, node.Name), req.Password) {
+		if !common.CanAccess(user, meta, path.Join(node.Parent, node.Name), req.Password) {
 			continue
 		}
 		filteredNodes = append(filteredNodes, node)

server/handles/ssologin.go

@@ -154,7 +154,7 @@ func autoRegister(username, userID string, err error) (*model.User, error) {
 		Password:   random.String(16),
 		Permission: int32(setting.GetInt(conf.SSODefaultPermission, 0)),
 		BasePath:   setting.GetStr(conf.SSODefaultDir),
-		Role:       nil,
+		Role:       0,
 		Disabled:   false,
 		SsoID:      userID,
 	}

server/handles/task.go

@@ -18,7 +18,7 @@ type TaskInfo struct {
 	ID          string      `json:"id"`
 	Name        string      `json:"name"`
 	Creator     string      `json:"creator"`
-	CreatorRole model.Roles `json:"creator_role"`
+	CreatorRole int         `json:"creator_role"`
 	State       tache.State `json:"state"`
 	Status      string      `json:"status"`
 	Progress    float64     `json:"progress"`
@@ -39,7 +39,7 @@ func getTaskInfo[T task.TaskExtensionInfo](task T) TaskInfo {
 		progress = 100
 	}
 	creatorName := ""
-	var creatorRole model.Roles
+	creatorRole := -1
 	if task.GetCreator() != nil {
 		creatorName = task.GetCreator().Username
 		creatorRole = task.GetCreator().Role

server/handles/user.go

@@ -1,7 +1,6 @@
 package handles
 
 import (
-	"github.com/alist-org/alist/v3/pkg/utils"
 	"strconv"
 
 	"github.com/alist-org/alist/v3/internal/model"
@@ -61,18 +60,10 @@ func UpdateUser(c *gin.Context) {
 		common.ErrorResp(c, err, 500)
 		return
 	}
-
-	if user.Username == "admin" {
-		if !utils.SliceEqual(user.Role, req.Role) {
-			common.ErrorStrResp(c, "cannot change role of admin user", 403)
-			return
-		}
-		if user.Username != req.Username {
-			common.ErrorStrResp(c, "cannot change username of admin user", 403)
-			return
-		}
+	if user.Role != req.Role {
+		common.ErrorStrResp(c, "role can not be changed", 400)
+		return
 	}
-
 	if req.Password == "" {
 		req.PwdHash = user.PwdHash
 		req.Salt = user.Salt

server/middlewares/auth.go

@@ -2,7 +2,6 @@ package middlewares
 
 import (
 	"crypto/subtle"
-	"fmt"
 
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/model"
@@ -69,15 +68,6 @@ func Auth(c *gin.Context) {
 		c.Abort()
 		return
 	}
-	if len(user.Role) > 0 {
-		roles, err := op.GetRolesByUserID(user.ID)
-		if err != nil {
-			common.ErrorStrResp(c, fmt.Sprintf("Fail to load roles: %v", err), 500)
-			c.Abort()
-			return
-		}
-		user.RolesDetail = roles
-	}
 	c.Set("user", user)
 	log.Debugf("use login token: %+v", user)
 	c.Next()
@@ -132,19 +122,6 @@ func Authn(c *gin.Context) {
 		c.Abort()
 		return
 	}
-	if len(user.Role) > 0 {
-		var roles []model.Role
-		for _, roleID := range user.Role {
-			role, err := op.GetRole(uint(roleID))
-			if err != nil {
-				common.ErrorStrResp(c, fmt.Sprintf("load role %d failed", roleID), 500)
-				c.Abort()
-				return
-			}
-			roles = append(roles, *role)
-		}
-		user.RolesDetail = roles
-	}
 	c.Set("user", user)
 	log.Debugf("use login token: %+v", user)
 	c.Next()

server/middlewares/fsup.go

@@ -35,9 +35,7 @@ func FsUp(c *gin.Context) {
 			return
 		}
 	}
-	perm := common.MergeRolePermissions(user, path)
-	if !(common.CanAccessWithRoles(user, meta, path, password) &&
-		(common.HasPermission(perm, common.PermWrite) || common.CanWrite(meta, stdpath.Dir(path)))) {
+	if !(common.CanAccess(user, meta, path, password) && (user.CanWrite() || common.CanWrite(meta, stdpath.Dir(path)))) {
 		common.ErrorResp(c, errs.PermissionDenied, 403)
 		c.Abort()
 		return

server/router.go

@@ -120,13 +120,6 @@ func admin(g *gin.RouterGroup) {
 	user.GET("/sshkey/list", handles.ListPublicKeys)
 	user.POST("/sshkey/delete", handles.DeletePublicKey)
 
-	role := g.Group("/role")
-	role.GET("/list", handles.ListRoles)
-	role.GET("/get", handles.GetRole)
-	role.POST("/create", handles.CreateRole)
-	role.POST("/update", handles.UpdateRole)
-	role.POST("/delete", handles.DeleteRole)
-
 	storage := g.Group("/storage")
 	storage.GET("/list", handles.ListStorages)
 	storage.GET("/get", handles.GetStorage)
@@ -168,19 +161,6 @@ func admin(g *gin.RouterGroup) {
 	index.POST("/stop", middlewares.SearchIndex, handles.StopIndex)
 	index.POST("/clear", middlewares.SearchIndex, handles.ClearIndex)
 	index.GET("/progress", middlewares.SearchIndex, handles.GetProgress)
-
-	label := g.Group("/label")
-	label.GET("/list", handles.ListLabel)
-	label.GET("/get", handles.GetLabel)
-	label.POST("/create", handles.CreateLabel)
-	label.POST("/update", handles.UpdateLabel)
-	label.POST("/delete", handles.DeleteLabel)
-
-	labelFileBinding := g.Group("/label_file_binding")
-	labelFileBinding.GET("/get", handles.GetLabelByFileName)
-	labelFileBinding.GET("/get_file_by_label", handles.GetFileByLabel)
-	labelFileBinding.POST("/create", handles.CreateLabelFileBinDing)
-	labelFileBinding.POST("/delete", handles.DelLabelByFileName)
 }
 
 func _fs(g *gin.RouterGroup) {

server/sftp.go

@@ -8,7 +8,6 @@ import (
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/internal/setting"
 	"github.com/alist-org/alist/v3/pkg/utils"
-	"github.com/alist-org/alist/v3/server/common"
 	"github.com/alist-org/alist/v3/server/ftp"
 	"github.com/alist-org/alist/v3/server/sftp"
 	"github.com/pkg/errors"
@@ -79,8 +78,7 @@ func (d *SftpDriver) NoClientAuth(conn ssh.ConnMetadata) (*ssh.Permissions, erro
 	if err != nil {
 		return nil, err
 	}
-	permGuest := common.MergeRolePermissions(guest, guest.BasePath)
-	if guest.Disabled || !common.HasPermission(permGuest, common.PermFTPAccess) {
+	if guest.Disabled || !guest.CanFTPAccess() {
 		return nil, errors.New("user is not allowed to access via SFTP")
 	}
 	return nil, nil
@@ -91,8 +89,7 @@ func (d *SftpDriver) PasswordAuth(conn ssh.ConnMetadata, password []byte) (*ssh.
 	if err != nil {
 		return nil, err
 	}
-	perm := common.MergeRolePermissions(userObj, userObj.BasePath)
-	if userObj.Disabled || !common.HasPermission(perm, common.PermFTPAccess) {
+	if userObj.Disabled || !userObj.CanFTPAccess() {
 		return nil, errors.New("user is not allowed to access via SFTP")
 	}
 	passHash := model.StaticHash(string(password))
@@ -107,8 +104,7 @@ func (d *SftpDriver) PublicKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 	if err != nil {
 		return nil, err
 	}
-	perm := common.MergeRolePermissions(userObj, userObj.BasePath)
-	if userObj.Disabled || !common.HasPermission(perm, common.PermFTPAccess) {
+	if userObj.Disabled || !userObj.CanFTPAccess() {
 		return nil, errors.New("user is not allowed to access via SFTP")
 	}
 	keys, _, err := op.GetSSHPublicKeyByUserId(userObj.ID, 1, -1)

server/webdav.go

@@ -3,19 +3,16 @@ package server
 import (
 	"context"
 	"crypto/subtle"
-	"net/http"
-	"net/url"
-	"path"
-	"strings"
-
 	"github.com/alist-org/alist/v3/internal/stream"
 	"github.com/alist-org/alist/v3/server/middlewares"
+	"net/http"
+	"path"
+	"strings"
 
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/internal/setting"
-	"github.com/alist-org/alist/v3/server/common"
 	"github.com/alist-org/alist/v3/server/webdav"
 	"github.com/gin-gonic/gin"
 	log "github.com/sirupsen/logrus"
@@ -95,19 +92,7 @@ func WebDAVAuth(c *gin.Context) {
 		c.Abort()
 		return
 	}
-	reqPath := c.Param("path")
-	if reqPath == "" {
-		reqPath = "/"
-	}
-	reqPath, _ = url.PathUnescape(reqPath)
-	reqPath, err = user.JoinPath(reqPath)
-	if err != nil {
-		c.Status(http.StatusForbidden)
-		c.Abort()
-		return
-	}
-	perm := common.MergeRolePermissions(user, reqPath)
-	if user.Disabled || !common.HasPermission(perm, common.PermWebdavRead) {
+	if user.Disabled || !user.CanWebdavRead() {
 		if c.Request.Method == "OPTIONS" {
 			c.Set("user", guest)
 			c.Next()
@@ -117,27 +102,27 @@ func WebDAVAuth(c *gin.Context) {
 		c.Abort()
 		return
 	}
-	if (c.Request.Method == "PUT" || c.Request.Method == "MKCOL") && (!common.HasPermission(perm, common.PermWebdavManage) || !common.HasPermission(perm, common.PermWrite)) {
+	if (c.Request.Method == "PUT" || c.Request.Method == "MKCOL") && (!user.CanWebdavManage() || !user.CanWrite()) {
 		c.Status(http.StatusForbidden)
 		c.Abort()
 		return
 	}
-	if c.Request.Method == "MOVE" && (!common.HasPermission(perm, common.PermWebdavManage) || (!common.HasPermission(perm, common.PermMove) && !common.HasPermission(perm, common.PermRename))) {
+	if c.Request.Method == "MOVE" && (!user.CanWebdavManage() || (!user.CanMove() && !user.CanRename())) {
 		c.Status(http.StatusForbidden)
 		c.Abort()
 		return
 	}
-	if c.Request.Method == "COPY" && (!common.HasPermission(perm, common.PermWebdavManage) || !common.HasPermission(perm, common.PermCopy)) {
+	if c.Request.Method == "COPY" && (!user.CanWebdavManage() || !user.CanCopy()) {
 		c.Status(http.StatusForbidden)
 		c.Abort()
 		return
 	}
-	if c.Request.Method == "DELETE" && (!common.HasPermission(perm, common.PermWebdavManage) || !common.HasPermission(perm, common.PermRemove)) {
+	if c.Request.Method == "DELETE" && (!user.CanWebdavManage() || !user.CanRemove()) {
 		c.Status(http.StatusForbidden)
 		c.Abort()
 		return
 	}
-	if c.Request.Method == "PROPPATCH" && !common.HasPermission(perm, common.PermWebdavManage) {
+	if c.Request.Method == "PROPPATCH" && !user.CanWebdavManage() {
 		c.Status(http.StatusForbidden)
 		c.Abort()
 		return

server/webdav/file.go

@@ -14,7 +14,6 @@ import (
 	"github.com/alist-org/alist/v3/internal/fs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/server/common"
 )
 
 // slashClean is equivalent to but slightly more efficient than
@@ -35,11 +34,10 @@ func moveFiles(ctx context.Context, src, dst string, overwrite bool) (status int
 	srcName := path.Base(src)
 	dstName := path.Base(dst)
 	user := ctx.Value("user").(*model.User)
-	perm := common.MergeRolePermissions(user, src)
-	if srcDir != dstDir && !common.HasPermission(perm, common.PermMove) {
+	if srcDir != dstDir && !user.CanMove() {
 		return http.StatusForbidden, nil
 	}
-	if srcName != dstName && !common.HasPermission(perm, common.PermRename) {
+	if srcName != dstName && !user.CanRename() {
 		return http.StatusForbidden, nil
 	}
 	if srcDir == dstDir {