fix: webdav error location (#9266 )

* feat: improve WebDAV permission handling and user role fetching - Added logic to handle root permissions in WebDAV requests. - Improved the user role fetching mechanism. - Enhanced path checks and permission scopes in role_perm.go. - Set FetchRole function to avoid import cycles between modules. * fix(webdav): resolve connection reset issue by encoding paths - Adjust path encoding in webdav.go to prevent connection reset. - Utilize utils.EncodePath for correct path formatting. - Ensure proper handling of directory paths with trailing slash. * fix(webdav): resolve connection reset issue by encoding paths - Adjust path encoding in webdav.go to prevent connection reset. - Utilize utils.FixAndCleanPath for correct path formatting. - Ensure proper handling of directory paths with trailing slash. * fix: resolve webdav handshake error in permission checks - Updated role permission logic to handle bidirectional subpaths. - This adjustment fixes the issue where remote host terminates the handshake due to improper path matching. * fix: resolve webdav handshake error in permission checks (fix/fix-webdav-error) - Updated role permission logic to handle bidirectional subpaths, fixing handshake termination by remote host due to path mismatch. - Refactored function naming for consistency and clarity. - Enhanced filtering of objects based on user permissions. * fix: resolve webdav handshake error in permission checks - Updated role permission logic to handle bidirectional subpaths, fixing handshake termination by remote host due to path mismatch. - Refactored function naming for consistency and clarity. - Enhanced filtering of objects based on user permissions.
feat: add tag backup and fix bugs (#9265 )
2025-11-25 19:37:41 +08:00 · 2025-08-15 23:10:55 +08:00 · 2025-08-15 23:09:00 +08:00 · 2025-08-06 16:31:36 +08:00 · 2025-08-04 12:02:45 +08:00 · 2025-08-04 11:56:57 +08:00
30 changed files with 1649 additions and 97 deletions
--- a/drivers/123_open/api.go
+++ b/drivers/123_open/api.go
@@ -0,0 +1,191 @@
+package _123Open
+
+import (
+	"fmt"
+	"github.com/go-resty/resty/v2"
+	"net/http"
+)
+
+const (
+	// baseurl
+	ApiBaseURL = "https://open-api.123pan.com"
+
+	// auth
+	ApiToken = "/api/v1/access_token"
+
+	// file list
+	ApiFileList = "/api/v2/file/list"
+
+	// direct link
+	ApiGetDirectLink = "/api/v1/direct-link/url"
+
+	// mkdir
+	ApiMakeDir = "/upload/v1/file/mkdir"
+
+	// remove
+	ApiRemove = "/api/v1/file/trash"
+
+	// upload
+	ApiUploadDomainURL   = "/upload/v2/file/domain"
+	ApiSingleUploadURL   = "/upload/v2/file/single/create"
+	ApiCreateUploadURL   = "/upload/v2/file/create"
+	ApiUploadSliceURL    = "/upload/v2/file/slice"
+	ApiUploadCompleteURL = "/upload/v2/file/upload_complete"
+
+	// move
+	ApiMove = "/api/v1/file/move"
+
+	// rename
+	ApiRename = "/api/v1/file/name"
+)
+
+type Response[T any] struct {
+	Code    int    `json:"code"`
+	Message string `json:"message"`
+	Data    T      `json:"data"`
+}
+
+type TokenResp struct {
+	Code    int       `json:"code"`
+	Message string    `json:"message"`
+	Data    TokenData `json:"data"`
+}
+
+type TokenData struct {
+	AccessToken string `json:"accessToken"`
+	ExpiredAt   string `json:"expiredAt"`
+}
+
+type FileListResp struct {
+	Code    int          `json:"code"`
+	Message string       `json:"message"`
+	Data    FileListData `json:"data"`
+}
+
+type FileListData struct {
+	LastFileId int64  `json:"lastFileId"`
+	FileList   []File `json:"fileList"`
+}
+
+type DirectLinkResp struct {
+	Code    int            `json:"code"`
+	Message string         `json:"message"`
+	Data    DirectLinkData `json:"data"`
+}
+
+type DirectLinkData struct {
+	URL string `json:"url"`
+}
+
+type MakeDirRequest struct {
+	Name     string `json:"name"`
+	ParentID int64  `json:"parentID"`
+}
+
+type MakeDirResp struct {
+	Code    int         `json:"code"`
+	Message string      `json:"message"`
+	Data    MakeDirData `json:"data"`
+}
+
+type MakeDirData struct {
+	DirID int64 `json:"dirID"`
+}
+
+type RemoveRequest struct {
+	FileIDs []int64 `json:"fileIDs"`
+}
+
+type UploadCreateResp struct {
+	Code    int              `json:"code"`
+	Message string           `json:"message"`
+	Data    UploadCreateData `json:"data"`
+}
+
+type UploadCreateData struct {
+	FileID      int64    `json:"fileId"`
+	Reuse       bool     `json:"reuse"`
+	PreuploadID string   `json:"preuploadId"`
+	SliceSize   int64    `json:"sliceSize"`
+	Servers     []string `json:"servers"`
+}
+
+type UploadUrlResp struct {
+	Code    int           `json:"code"`
+	Message string        `json:"message"`
+	Data    UploadUrlData `json:"data"`
+}
+
+type UploadUrlData struct {
+	PresignedURL string `json:"presignedUrl"`
+}
+
+type UploadCompleteResp struct {
+	Code    int                `json:"code"`
+	Message string             `json:"message"`
+	Data    UploadCompleteData `json:"data"`
+}
+
+type UploadCompleteData struct {
+	FileID    int  `json:"fileID"`
+	Completed bool `json:"completed"`
+}
+
+func (d *Open123) Request(endpoint string, method string, setup func(*resty.Request), result any) (*resty.Response, error) {
+	client := resty.New()
+	token, err := d.tm.getToken()
+	if err != nil {
+		return nil, err
+	}
+
+	req := client.R().
+		SetHeader("Authorization", "Bearer "+token).
+		SetHeader("Platform", "open_platform").
+		SetHeader("Content-Type", "application/json").
+		SetResult(result)
+
+	if setup != nil {
+		setup(req)
+	}
+
+	switch method {
+	case http.MethodGet:
+		return req.Get(ApiBaseURL + endpoint)
+	case http.MethodPost:
+		return req.Post(ApiBaseURL + endpoint)
+	case http.MethodPut:
+		return req.Put(ApiBaseURL + endpoint)
+	default:
+		return nil, fmt.Errorf("unsupported method: %s", method)
+	}
+}
+
+func (d *Open123) RequestTo(fullURL string, method string, setup func(*resty.Request), result any) (*resty.Response, error) {
+	client := resty.New()
+
+	token, err := d.tm.getToken()
+	if err != nil {
+		return nil, err
+	}
+
+	req := client.R().
+		SetHeader("Authorization", "Bearer "+token).
+		SetHeader("Platform", "open_platform").
+		SetHeader("Content-Type", "application/json").
+		SetResult(result)
+
+	if setup != nil {
+		setup(req)
+	}
+
+	switch method {
+	case http.MethodGet:
+		return req.Get(fullURL)
+	case http.MethodPost:
+		return req.Post(fullURL)
+	case http.MethodPut:
+		return req.Put(fullURL)
+	default:
+		return nil, fmt.Errorf("unsupported method: %s", method)
+	}
+}
--- a/drivers/123_open/driver.go
+++ b/drivers/123_open/driver.go
@@ -0,0 +1,277 @@
+package _123Open
+
+import (
+	"context"
+	"fmt"
+	"github.com/alist-org/alist/v3/internal/driver"
+	"github.com/alist-org/alist/v3/internal/errs"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/stream"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/go-resty/resty/v2"
+	"net/http"
+	"strconv"
+)
+
+type Open123 struct {
+	model.Storage
+	Addition
+
+	UploadThread int
+	tm           *tokenManager
+}
+
+func (d *Open123) Config() driver.Config {
+	return config
+}
+
+func (d *Open123) GetAddition() driver.Additional {
+	return &d.Addition
+}
+
+func (d *Open123) Init(ctx context.Context) error {
+	d.tm = newTokenManager(d.ClientID, d.ClientSecret)
+
+	if _, err := d.tm.getToken(); err != nil {
+		return fmt.Errorf("token 初始化失败: %w", err)
+	}
+
+	return nil
+}
+
+func (d *Open123) Drop(ctx context.Context) error {
+	return nil
+}
+
+func (d *Open123) List(ctx context.Context, dir model.Obj, args model.ListArgs) ([]model.Obj, error) {
+	parentFileId, err := strconv.ParseInt(dir.GetID(), 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	fileLastId := int64(0)
+	var results []File
+
+	for fileLastId != -1 {
+		files, err := d.getFiles(parentFileId, 100, fileLastId)
+		if err != nil {
+			return nil, err
+		}
+		for _, f := range files.Data.FileList {
+			if f.Trashed == 0 {
+				results = append(results, f)
+			}
+		}
+		fileLastId = files.Data.LastFileId
+	}
+
+	objs := make([]model.Obj, 0, len(results))
+	for _, f := range results {
+		objs = append(objs, f)
+	}
+	return objs, nil
+}
+
+func (d *Open123) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*model.Link, error) {
+	if file.IsDir() {
+		return nil, errs.LinkIsDir
+	}
+
+	fileID := file.GetID()
+
+	var result DirectLinkResp
+	url := fmt.Sprintf("%s?fileID=%s", ApiGetDirectLink, fileID)
+	_, err := d.Request(url, http.MethodGet, nil, &result)
+	if err != nil {
+		return nil, err
+	}
+	if result.Code != 0 {
+		return nil, fmt.Errorf("get link failed: %s", result.Message)
+	}
+
+	return &model.Link{
+		URL: result.Data.URL,
+	}, nil
+}
+
+func (d *Open123) MakeDir(ctx context.Context, parentDir model.Obj, dirName string) (model.Obj, error) {
+	parentID, err := strconv.ParseInt(parentDir.GetID(), 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid parent ID: %w", err)
+	}
+
+	var result MakeDirResp
+	reqBody := MakeDirRequest{
+		Name:     dirName,
+		ParentID: parentID,
+	}
+
+	_, err = d.Request(ApiMakeDir, http.MethodPost, func(r *resty.Request) {
+		r.SetBody(reqBody)
+	}, &result)
+	if err != nil {
+		return nil, err
+	}
+	if result.Code != 0 {
+		return nil, fmt.Errorf("mkdir failed: %s", result.Message)
+	}
+
+	newDir := File{
+		FileId:       result.Data.DirID,
+		FileName:     dirName,
+		Type:         1,
+		ParentFileId: int(parentID),
+		Size:         0,
+		Trashed:      0,
+	}
+	return newDir, nil
+}
+
+func (d *Open123) Move(ctx context.Context, srcObj, dstDir model.Obj) (model.Obj, error) {
+	srcID, err := strconv.ParseInt(srcObj.GetID(), 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid src file ID: %w", err)
+	}
+	dstID, err := strconv.ParseInt(dstDir.GetID(), 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid dest dir ID: %w", err)
+	}
+
+	var result Response[any]
+	reqBody := map[string]interface{}{
+		"fileIDs":        []int64{srcID},
+		"toParentFileID": dstID,
+	}
+
+	_, err = d.Request(ApiMove, http.MethodPost, func(r *resty.Request) {
+		r.SetBody(reqBody)
+	}, &result)
+	if err != nil {
+		return nil, err
+	}
+	if result.Code != 0 {
+		return nil, fmt.Errorf("move failed: %s", result.Message)
+	}
+
+	files, err := d.getFiles(dstID, 100, 0)
+	if err != nil {
+		return nil, fmt.Errorf("move succeed but failed to get target dir: %w", err)
+	}
+	for _, f := range files.Data.FileList {
+		if f.FileId == srcID {
+			return f, nil
+		}
+	}
+	return nil, fmt.Errorf("move succeed but file not found in target dir")
+}
+
+func (d *Open123) Rename(ctx context.Context, srcObj model.Obj, newName string) (model.Obj, error) {
+	srcID, err := strconv.ParseInt(srcObj.GetID(), 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid file ID: %w", err)
+	}
+
+	var result Response[any]
+	reqBody := map[string]interface{}{
+		"fileId":   srcID,
+		"fileName": newName,
+	}
+
+	_, err = d.Request(ApiRename, http.MethodPut, func(r *resty.Request) {
+		r.SetBody(reqBody)
+	}, &result)
+	if err != nil {
+		return nil, err
+	}
+	if result.Code != 0 {
+		return nil, fmt.Errorf("rename failed: %s", result.Message)
+	}
+
+	parentID := 0
+	if file, ok := srcObj.(File); ok {
+		parentID = file.ParentFileId
+	}
+	files, err := d.getFiles(int64(parentID), 100, 0)
+	if err != nil {
+		return nil, fmt.Errorf("rename succeed but failed to get parent dir: %w", err)
+	}
+	for _, f := range files.Data.FileList {
+		if f.FileId == srcID {
+			return f, nil
+		}
+	}
+	return nil, fmt.Errorf("rename succeed but file not found in parent dir")
+}
+
+func (d *Open123) Copy(ctx context.Context, srcObj, dstDir model.Obj) (model.Obj, error) {
+	return nil, errs.NotSupport
+}
+
+func (d *Open123) Remove(ctx context.Context, obj model.Obj) error {
+	idStr := obj.GetID()
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil {
+		return fmt.Errorf("invalid file ID: %w", err)
+	}
+
+	var result Response[any]
+	reqBody := RemoveRequest{
+		FileIDs: []int64{id},
+	}
+
+	_, err = d.Request(ApiRemove, http.MethodPost, func(r *resty.Request) {
+		r.SetBody(reqBody)
+	}, &result)
+	if err != nil {
+		return err
+	}
+	if result.Code != 0 {
+		return fmt.Errorf("remove failed: %s", result.Message)
+	}
+
+	return nil
+}
+
+func (d *Open123) Put(ctx context.Context, dstDir model.Obj, file model.FileStreamer, up driver.UpdateProgress) error {
+	parentFileId, err := strconv.ParseInt(dstDir.GetID(), 10, 64)
+	etag := file.GetHash().GetHash(utils.MD5)
+
+	if len(etag) < utils.MD5.Width {
+		up = model.UpdateProgressWithRange(up, 50, 100)
+		_, etag, err = stream.CacheFullInTempFileAndHash(file, utils.MD5)
+		if err != nil {
+			return err
+		}
+	}
+	createResp, err := d.create(parentFileId, file.GetName(), etag, file.GetSize(), 2, false)
+	if err != nil {
+		return err
+	}
+	if createResp.Data.Reuse {
+		return nil
+	}
+
+	return d.Upload(ctx, file, parentFileId, createResp, up)
+}
+
+func (d *Open123) GetArchiveMeta(ctx context.Context, obj model.Obj, args model.ArchiveArgs) (model.ArchiveMeta, error) {
+	return nil, errs.NotSupport
+}
+
+func (d *Open123) ListArchive(ctx context.Context, obj model.Obj, args model.ArchiveInnerArgs) ([]model.Obj, error) {
+	return nil, errs.NotSupport
+}
+
+func (d *Open123) Extract(ctx context.Context, obj model.Obj, args model.ArchiveInnerArgs) (*model.Link, error) {
+	return nil, errs.NotSupport
+}
+
+func (d *Open123) ArchiveDecompress(ctx context.Context, srcObj, dstDir model.Obj, args model.ArchiveDecompressArgs) ([]model.Obj, error) {
+	return nil, errs.NotSupport
+}
+
+//func (d *Open123) Other(ctx context.Context, args model.OtherArgs) (interface{}, error) {
+//	return nil, errs.NotSupport
+//}
+
+var _ driver.Driver = (*Open123)(nil)
--- a/drivers/123_open/meta.go
+++ b/drivers/123_open/meta.go
@@ -0,0 +1,33 @@
+package _123Open
+
+import (
+	"github.com/alist-org/alist/v3/internal/driver"
+	"github.com/alist-org/alist/v3/internal/op"
+)
+
+type Addition struct {
+	driver.RootID
+
+	ClientID     string `json:"client_id" required:"true" label:"Client ID"`
+	ClientSecret string `json:"client_secret" required:"true" label:"Client Secret"`
+}
+
+var config = driver.Config{
+	Name:              "123 Open",
+	LocalSort:         false,
+	OnlyLocal:         false,
+	OnlyProxy:         false,
+	NoCache:           false,
+	NoUpload:          false,
+	NeedMs:            false,
+	DefaultRoot:       "0",
+	CheckStatus:       false,
+	Alert:             "",
+	NoOverwriteUpload: false,
+}
+
+func init() {
+	op.RegisterDriver(func() driver.Driver {
+		return &Open123{}
+	})
+}
--- a/drivers/123_open/token.go
+++ b/drivers/123_open/token.go
@@ -0,0 +1,85 @@
+package _123Open
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"sync"
+	"time"
+)
+
+const tokenURL = ApiBaseURL + ApiToken
+
+type tokenManager struct {
+	clientID     string
+	clientSecret string
+
+	mu          sync.Mutex
+	accessToken string
+	expireTime  time.Time
+}
+
+func newTokenManager(clientID, clientSecret string) *tokenManager {
+	return &tokenManager{
+		clientID:     clientID,
+		clientSecret: clientSecret,
+	}
+}
+
+func (tm *tokenManager) getToken() (string, error) {
+	tm.mu.Lock()
+	defer tm.mu.Unlock()
+
+	if tm.accessToken != "" && time.Now().Before(tm.expireTime.Add(-5*time.Minute)) {
+		return tm.accessToken, nil
+	}
+
+	reqBody := map[string]string{
+		"clientID":     tm.clientID,
+		"clientSecret": tm.clientSecret,
+	}
+	body, _ := json.Marshal(reqBody)
+	req, err := http.NewRequest("POST", tokenURL, bytes.NewBuffer(body))
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Platform", "open_platform")
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	var result TokenResp
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", err
+	}
+
+	if result.Code != 0 {
+		return "", fmt.Errorf("get token failed: %s", result.Message)
+	}
+
+	tm.accessToken = result.Data.AccessToken
+	expireAt, err := time.Parse(time.RFC3339, result.Data.ExpiredAt)
+	if err != nil {
+		return "", fmt.Errorf("parse expire time failed: %w", err)
+	}
+	tm.expireTime = expireAt
+
+	return tm.accessToken, nil
+}
+
+func (tm *tokenManager) buildHeaders() (http.Header, error) {
+	token, err := tm.getToken()
+	if err != nil {
+		return nil, err
+	}
+	header := http.Header{}
+	header.Set("Authorization", "Bearer "+token)
+	header.Set("Platform", "open_platform")
+	header.Set("Content-Type", "application/json")
+	return header, nil
+}
--- a/drivers/123_open/types.go
+++ b/drivers/123_open/types.go
@@ -0,0 +1,70 @@
+package _123Open
+
+import (
+	"fmt"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"time"
+)
+
+type File struct {
+	FileName     string `json:"filename"`
+	Size         int64  `json:"size"`
+	CreateAt     string `json:"createAt"`
+	UpdateAt     string `json:"updateAt"`
+	FileId       int64  `json:"fileId"`
+	Type         int    `json:"type"`
+	Etag         string `json:"etag"`
+	S3KeyFlag    string `json:"s3KeyFlag"`
+	ParentFileId int    `json:"parentFileId"`
+	Category     int    `json:"category"`
+	Status       int    `json:"status"`
+	Trashed      int    `json:"trashed"`
+}
+
+func (f File) GetID() string {
+	return fmt.Sprint(f.FileId)
+}
+
+func (f File) GetName() string {
+	return f.FileName
+}
+
+func (f File) GetSize() int64 {
+	return f.Size
+}
+
+func (f File) IsDir() bool {
+	return f.Type == 1
+}
+
+func (f File) GetModified() string {
+	return f.UpdateAt
+}
+
+func (f File) GetThumb() string {
+	return ""
+}
+
+func (f File) ModTime() time.Time {
+	t, err := time.Parse("2006-01-02 15:04:05", f.UpdateAt)
+	if err != nil {
+		return time.Time{}
+	}
+	return t
+}
+
+func (f File) CreateTime() time.Time {
+	t, err := time.Parse("2006-01-02 15:04:05", f.CreateAt)
+	if err != nil {
+		return time.Time{}
+	}
+	return t
+}
+
+func (f File) GetHash() utils.HashInfo {
+	return utils.NewHashInfo(utils.MD5, f.Etag)
+}
+
+func (f File) GetPath() string {
+	return ""
+}
--- a/drivers/123_open/upload.go
+++ b/drivers/123_open/upload.go
@@ -0,0 +1,282 @@
+package _123Open
+
+import (
+	"bytes"
+	"context"
+	"crypto/md5"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"github.com/alist-org/alist/v3/drivers/base"
+	"github.com/alist-org/alist/v3/internal/driver"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/stream"
+	"github.com/alist-org/alist/v3/pkg/http_range"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/go-resty/resty/v2"
+	"golang.org/x/sync/errgroup"
+	"io"
+	"mime/multipart"
+	"net/http"
+	"runtime"
+	"strconv"
+	"time"
+)
+
+func (d *Open123) create(parentFileID int64, filename, etag string, size int64, duplicate int, containDir bool) (*UploadCreateResp, error) {
+	var resp UploadCreateResp
+
+	_, err := d.Request(ApiCreateUploadURL, http.MethodPost, func(req *resty.Request) {
+		body := base.Json{
+			"parentFileID": parentFileID,
+			"filename":     filename,
+			"etag":         etag,
+			"size":         size,
+		}
+		if duplicate > 0 {
+			body["duplicate"] = duplicate
+		}
+		if containDir {
+			body["containDir"] = true
+		}
+		req.SetBody(body)
+	}, &resp)
+
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+func (d *Open123) GetUploadDomains() ([]string, error) {
+	var resp struct {
+		Code    int      `json:"code"`
+		Message string   `json:"message"`
+		Data    []string `json:"data"`
+	}
+
+	_, err := d.Request(ApiUploadDomainURL, http.MethodGet, nil, &resp)
+	if err != nil {
+		return nil, err
+	}
+	if resp.Code != 0 {
+		return nil, fmt.Errorf("get upload domain failed: %s", resp.Message)
+	}
+	return resp.Data, nil
+}
+
+func (d *Open123) UploadSingle(ctx context.Context, createResp *UploadCreateResp, file model.FileStreamer, parentID int64) error {
+	domain := createResp.Data.Servers[0]
+
+	etag := file.GetHash().GetHash(utils.MD5)
+	if len(etag) < utils.MD5.Width {
+		_, _, err := stream.CacheFullInTempFileAndHash(file, utils.MD5)
+		if err != nil {
+			return err
+		}
+	}
+
+	reader, err := file.RangeRead(http_range.Range{Start: 0, Length: file.GetSize()})
+	if err != nil {
+		return err
+	}
+	reader = driver.NewLimitedUploadStream(ctx, reader)
+
+	var b bytes.Buffer
+	mw := multipart.NewWriter(&b)
+	mw.WriteField("parentFileID", fmt.Sprint(parentID))
+	mw.WriteField("filename", file.GetName())
+	mw.WriteField("etag", etag)
+	mw.WriteField("size", fmt.Sprint(file.GetSize()))
+	fw, _ := mw.CreateFormFile("file", file.GetName())
+	_, err = io.Copy(fw, reader)
+	mw.Close()
+
+	req, err := http.NewRequestWithContext(ctx, "POST", domain+ApiSingleUploadURL, &b)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Authorization", "Bearer "+d.tm.accessToken)
+	req.Header.Set("Platform", "open_platform")
+	req.Header.Set("Content-Type", mw.FormDataContentType())
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	var result struct {
+		Code    int    `json:"code"`
+		Message string `json:"message"`
+		Data    struct {
+			FileID    int64 `json:"fileID"`
+			Completed bool  `json:"completed"`
+		} `json:"data"`
+	}
+	body, _ := io.ReadAll(resp.Body)
+	if err := json.Unmarshal(body, &result); err != nil {
+		return fmt.Errorf("unmarshal response error: %v, body: %s", err, string(body))
+	}
+	if result.Code != 0 {
+		return fmt.Errorf("upload failed: %s", result.Message)
+	}
+	if !result.Data.Completed || result.Data.FileID == 0 {
+		return fmt.Errorf("upload incomplete or missing fileID")
+	}
+	return nil
+}
+
+func (d *Open123) Upload(ctx context.Context, file model.FileStreamer, parentID int64, createResp *UploadCreateResp, up driver.UpdateProgress) error {
+	if cacher, ok := file.(interface{ CacheFullInTempFile() (model.File, error) }); ok {
+		if _, err := cacher.CacheFullInTempFile(); err != nil {
+			return err
+		}
+	}
+
+	size := file.GetSize()
+	chunkSize := createResp.Data.SliceSize
+	uploadNums := (size + chunkSize - 1) / chunkSize
+	uploadDomain := createResp.Data.Servers[0]
+
+	if d.UploadThread <= 0 {
+		cpuCores := runtime.NumCPU()
+		threads := cpuCores * 2
+		if threads < 4 {
+			threads = 4
+		}
+		if threads > 16 {
+			threads = 16
+		}
+		d.UploadThread = threads
+		fmt.Printf("[Upload] Auto set upload concurrency: %d (CPU cores=%d)\n", d.UploadThread, cpuCores)
+	}
+
+	fmt.Printf("[Upload] File size: %d bytes, chunk size: %d bytes, total slices: %d, concurrency: %d\n",
+		size, chunkSize, uploadNums, d.UploadThread)
+
+	if size <= 1<<30 {
+		return d.UploadSingle(ctx, createResp, file, parentID)
+	}
+
+	if createResp.Data.Reuse {
+		up(100)
+		return nil
+	}
+
+	client := resty.New()
+	semaphore := make(chan struct{}, d.UploadThread)
+	threadG, _ := errgroup.WithContext(ctx)
+
+	var progressArr = make([]int64, uploadNums)
+
+	for partIndex := int64(0); partIndex < uploadNums; partIndex++ {
+		partIndex := partIndex
+		semaphore <- struct{}{}
+
+		threadG.Go(func() error {
+			defer func() { <-semaphore }()
+			offset := partIndex * chunkSize
+			length := min(chunkSize, size-offset)
+			partNumber := partIndex + 1
+
+			fmt.Printf("[Slice %d] Starting read from offset %d, length %d\n", partNumber, offset, length)
+			reader, err := file.RangeRead(http_range.Range{Start: offset, Length: length})
+			if err != nil {
+				return fmt.Errorf("[Slice %d] RangeRead error: %v", partNumber, err)
+			}
+
+			buf := make([]byte, length)
+			n, err := io.ReadFull(reader, buf)
+			if err != nil && err != io.EOF {
+				return fmt.Errorf("[Slice %d] Read error: %v", partNumber, err)
+			}
+			buf = buf[:n]
+			hash := md5.Sum(buf)
+			sliceMD5Str := hex.EncodeToString(hash[:])
+
+			body := &bytes.Buffer{}
+			writer := multipart.NewWriter(body)
+			writer.WriteField("preuploadID", createResp.Data.PreuploadID)
+			writer.WriteField("sliceNo", strconv.FormatInt(partNumber, 10))
+			writer.WriteField("sliceMD5", sliceMD5Str)
+			partName := fmt.Sprintf("%s.part%d", file.GetName(), partNumber)
+			fw, _ := writer.CreateFormFile("slice", partName)
+			fw.Write(buf)
+			writer.Close()
+
+			resp, err := client.R().
+				SetHeader("Authorization", "Bearer "+d.tm.accessToken).
+				SetHeader("Platform", "open_platform").
+				SetHeader("Content-Type", writer.FormDataContentType()).
+				SetBody(body.Bytes()).
+				Post(uploadDomain + ApiUploadSliceURL)
+
+			if err != nil {
+				return fmt.Errorf("[Slice %d] Upload HTTP error: %v", partNumber, err)
+			}
+			if resp.StatusCode() != 200 {
+				return fmt.Errorf("[Slice %d] Upload failed with status: %s, resp: %s", partNumber, resp.Status(), resp.String())
+			}
+
+			progressArr[partIndex] = length
+			var totalUploaded int64 = 0
+			for _, v := range progressArr {
+				totalUploaded += v
+			}
+			if up != nil {
+				percent := float64(totalUploaded) / float64(size) * 100
+				up(percent)
+			}
+
+			fmt.Printf("[Slice %d] MD5: %s\n", partNumber, sliceMD5Str)
+			fmt.Printf("[Slice %d] Upload finished\n", partNumber)
+			return nil
+		})
+	}
+
+	if err := threadG.Wait(); err != nil {
+		return err
+	}
+
+	var completeResp struct {
+		Code    int    `json:"code"`
+		Message string `json:"message"`
+		Data    struct {
+			Completed bool  `json:"completed"`
+			FileID    int64 `json:"fileID"`
+		} `json:"data"`
+	}
+
+	for {
+		reqBody := fmt.Sprintf(`{"preuploadID":"%s"}`, createResp.Data.PreuploadID)
+		req, err := http.NewRequestWithContext(ctx, "POST", uploadDomain+ApiUploadCompleteURL, bytes.NewBufferString(reqBody))
+		if err != nil {
+			return err
+		}
+		req.Header.Set("Authorization", "Bearer "+d.tm.accessToken)
+		req.Header.Set("Platform", "open_platform")
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := http.DefaultClient.Do(req)
+		if err != nil {
+			return err
+		}
+		body, _ := io.ReadAll(resp.Body)
+		resp.Body.Close()
+
+		if err := json.Unmarshal(body, &completeResp); err != nil {
+			return fmt.Errorf("completion response unmarshal error: %v, body: %s", err, string(body))
+		}
+		if completeResp.Code != 0 {
+			return fmt.Errorf("completion API returned error code %d: %s", completeResp.Code, completeResp.Message)
+		}
+		if completeResp.Data.Completed && completeResp.Data.FileID != 0 {
+			fmt.Printf("[Upload] Upload completed successfully. FileID: %d\n", completeResp.Data.FileID)
+			break
+		}
+		time.Sleep(time.Second)
+	}
+	up(100)
+	return nil
+}
--- a/drivers/123_open/util.go
+++ b/drivers/123_open/util.go
@@ -0,0 +1,20 @@
+package _123Open
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func (d *Open123) getFiles(parentFileId int64, limit int, lastFileId int64) (*FileListResp, error) {
+	var result FileListResp
+	url := fmt.Sprintf("%s?parentFileId=%d&limit=%d&lastFileId=%d", ApiFileList, parentFileId, limit, lastFileId)
+
+	_, err := d.Request(url, http.MethodGet, nil, &result)
+	if err != nil {
+		return nil, err
+	}
+	if result.Code != 0 {
+		return nil, fmt.Errorf("list error: %s", result.Message)
+	}
+	return &result, nil
+}
--- a/drivers/alist_v3/types.go
+++ b/drivers/alist_v3/types.go
@@ -1,6 +1,7 @@
 package alist_v3

 import (
+	"encoding/json"
 	"time"

 	"github.com/alist-org/alist/v3/internal/model"
@@ -72,15 +73,15 @@ type LoginResp struct {
 }

 type MeResp struct {
-	Id         int    `json:"id"`
-	Username   string `json:"username"`
-	Password   string `json:"password"`
-	BasePath   string `json:"base_path"`
-	Role       []int  `json:"role"`
-	Disabled   bool   `json:"disabled"`
-	Permission int    `json:"permission"`
-	SsoId      string `json:"sso_id"`
-	Otp        bool   `json:"otp"`
+	Id         int      `json:"id"`
+	Username   string   `json:"username"`
+	Password   string   `json:"password"`
+	BasePath   string   `json:"base_path"`
+	Role       IntSlice `json:"role"`
+	Disabled   bool     `json:"disabled"`
+	Permission int      `json:"permission"`
+	SsoId      string   `json:"sso_id"`
+	Otp        bool     `json:"otp"`
 }

 type ArchiveMetaReq struct {
@@ -168,3 +169,17 @@ type DecompressReq struct {
 	PutIntoNewDir bool     `json:"put_into_new_dir"`
 	SrcDir        string   `json:"src_dir"`
 }
+
+type IntSlice []int
+
+func (s *IntSlice) UnmarshalJSON(data []byte) error {
+	if len(data) > 0 && data[0] == '[' {
+		return json.Unmarshal(data, (*[]int)(s))
+	}
+	var single int
+	if err := json.Unmarshal(data, &single); err != nil {
+		return err
+	}
+	*s = []int{single}
+	return nil
+}
--- a/drivers/all.go
+++ b/drivers/all.go
@@ -6,6 +6,7 @@ import (
 	_ "github.com/alist-org/alist/v3/drivers/115_share"
 	_ "github.com/alist-org/alist/v3/drivers/123"
 	_ "github.com/alist-org/alist/v3/drivers/123_link"
+	_ "github.com/alist-org/alist/v3/drivers/123_open"
 	_ "github.com/alist-org/alist/v3/drivers/123_share"
 	_ "github.com/alist-org/alist/v3/drivers/139"
 	_ "github.com/alist-org/alist/v3/drivers/189"
--- a/internal/bootstrap/log.go
+++ b/internal/bootstrap/log.go
@@ -14,10 +14,14 @@ import (

 func init() {
 	formatter := logrus.TextFormatter{
-		ForceColors:               true,
-		EnvironmentOverrideColors: true,
-		TimestampFormat:           "2006-01-02 15:04:05",
-		FullTimestamp:             true,
+		TimestampFormat: "2006-01-02 15:04:05",
+		FullTimestamp:   true,
+	}
+	if os.Getenv("NO_COLOR") != "" || os.Getenv("ALIST_NO_COLOR") == "1" {
+		formatter.DisableColors = true
+	} else {
+		formatter.ForceColors = true
+		formatter.EnvironmentOverrideColors = true
 	}
 	logrus.SetFormatter(&formatter)
 	utils.Log.SetFormatter(&formatter)
--- a/internal/db/db.go
+++ b/internal/db/db.go
@@ -12,7 +12,7 @@ var db *gorm.DB

 func Init(d *gorm.DB) {
 	db = d
-	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey), new(model.Role), new(model.Label), new(model.LabelFileBinDing), new(model.ObjFile))
+	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey), new(model.Role), new(model.Label), new(model.LabelFileBinding), new(model.ObjFile))
 	if err != nil {
 		log.Fatalf("failed migrate database: %s", err.Error())
 	}
--- a/internal/db/label_file_binding.go
+++ b/internal/db/label_file_binding.go
@@ -1,15 +1,18 @@
 package db

 import (
+	"fmt"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/pkg/errors"
 	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
 	"time"
 )

 // GetLabelIds Get all label_ids from database order by file_name
 func GetLabelIds(userId uint, fileName string) ([]uint, error) {
-	labelFileBinDingDB := db.Model(&model.LabelFileBinDing{})
+	//fmt.Printf(">>> [GetLabelIds] userId: %d, fileName: %s\n", userId, fileName)
+	labelFileBinDingDB := db.Model(&model.LabelFileBinding{})
 	var labelIds []uint
 	if err := labelFileBinDingDB.Where("file_name = ?", fileName).Where("user_id = ?", userId).Pluck("label_id", &labelIds).Error; err != nil {
 		return nil, errors.WithStack(err)
@@ -18,7 +21,7 @@ func GetLabelIds(userId uint, fileName string) ([]uint, error) {
 }

 func CreateLabelFileBinDing(fileName string, labelId, userId uint) error {
-	var labelFileBinDing model.LabelFileBinDing
+	var labelFileBinDing model.LabelFileBinding
 	labelFileBinDing.UserId = userId
 	labelFileBinDing.LabelId = labelId
 	labelFileBinDing.FileName = fileName
@@ -32,7 +35,7 @@ func CreateLabelFileBinDing(fileName string, labelId, userId uint) error {

 // GetLabelFileBinDingByLabelIdExists Get Label by label_id, used to del label usually
 func GetLabelFileBinDingByLabelIdExists(labelId, userId uint) bool {
-	var labelFileBinDing model.LabelFileBinDing
+	var labelFileBinDing model.LabelFileBinding
 	result := db.Where("label_id = ?", labelId).Where("user_id = ?", userId).First(&labelFileBinDing)
 	exists := !errors.Is(result.Error, gorm.ErrRecordNotFound)
 	return exists
@@ -40,17 +43,150 @@ func GetLabelFileBinDingByLabelIdExists(labelId, userId uint) bool {

 // DelLabelFileBinDingByFileName used to del usually
 func DelLabelFileBinDingByFileName(userId uint, fileName string) error {
-	return errors.WithStack(db.Where("file_name = ?", fileName).Where("user_id = ?", userId).Delete(model.LabelFileBinDing{}).Error)
+	return errors.WithStack(db.Where("file_name = ?", fileName).Where("user_id = ?", userId).Delete(model.LabelFileBinding{}).Error)
 }

 // DelLabelFileBinDingById used to del usually
 func DelLabelFileBinDingById(labelId, userId uint, fileName string) error {
-	return errors.WithStack(db.Where("label_id = ?", labelId).Where("file_name = ?", fileName).Where("user_id = ?", userId).Delete(model.LabelFileBinDing{}).Error)
+	return errors.WithStack(db.Where("label_id = ?", labelId).Where("file_name = ?", fileName).Where("user_id = ?", userId).Delete(model.LabelFileBinding{}).Error)
 }

-func GetLabelFileBinDingByLabelId(labelIds []uint, userId uint) (result []model.LabelFileBinDing, err error) {
+func GetLabelFileBinDingByLabelId(labelIds []uint, userId uint) (result []model.LabelFileBinding, err error) {
 	if err := db.Where("label_id in (?)", labelIds).Where("user_id = ?", userId).Find(&result).Error; err != nil {
 		return nil, errors.WithStack(err)
 	}
 	return result, nil
 }
+
+func GetLabelBindingsByFileNamesPublic(fileNames []string) (map[string][]uint, error) {
+	var binds []model.LabelFileBinding
+	if err := db.Where("file_name IN ?", fileNames).Find(&binds).Error; err != nil {
+		return nil, errors.WithStack(err)
+	}
+	out := make(map[string][]uint, len(fileNames))
+	seen := make(map[string]struct{}, len(binds))
+	for _, b := range binds {
+		key := fmt.Sprintf("%s-%d", b.FileName, b.LabelId)
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+		out[b.FileName] = append(out[b.FileName], b.LabelId)
+	}
+	return out, nil
+}
+
+func GetLabelsByFileNamesPublic(fileNames []string) (map[string][]model.Label, error) {
+	bindMap, err := GetLabelBindingsByFileNamesPublic(fileNames)
+	if err != nil {
+		return nil, err
+	}
+
+	idSet := make(map[uint]struct{})
+	for _, ids := range bindMap {
+		for _, id := range ids {
+			idSet[id] = struct{}{}
+		}
+	}
+	if len(idSet) == 0 {
+		return make(map[string][]model.Label, 0), nil
+	}
+	allIDs := make([]uint, 0, len(idSet))
+	for id := range idSet {
+		allIDs = append(allIDs, id)
+	}
+	labels, err := GetLabelByIds(allIDs) // 你已有的函数
+	if err != nil {
+		return nil, err
+	}
+
+	labelByID := make(map[uint]model.Label, len(labels))
+	for _, l := range labels {
+		labelByID[l.ID] = l
+	}
+
+	out := make(map[string][]model.Label, len(bindMap))
+	for fname, ids := range bindMap {
+		for _, id := range ids {
+			if lab, ok := labelByID[id]; ok {
+				out[fname] = append(out[fname], lab)
+			}
+		}
+	}
+	return out, nil
+}
+
+func ListLabelFileBinDing(userId uint, labelIDs []uint, fileName string, page, pageSize int) ([]model.LabelFileBinding, int64, error) {
+	q := db.Model(&model.LabelFileBinding{}).Where("user_id = ?", userId)
+
+	if len(labelIDs) > 0 {
+		q = q.Where("label_id IN ?", labelIDs)
+	}
+	if fileName != "" {
+		q = q.Where("file_name LIKE ?", "%"+fileName+"%")
+	}
+
+	var total int64
+	if err := q.Count(&total).Error; err != nil {
+		return nil, 0, errors.WithStack(err)
+	}
+
+	var rows []model.LabelFileBinding
+	if err := q.
+		Order("id DESC").
+		Offset((page - 1) * pageSize).
+		Limit(pageSize).
+		Find(&rows).Error; err != nil {
+		return nil, 0, errors.WithStack(err)
+	}
+	return rows, total, nil
+}
+
+func RestoreLabelFileBindings(bindings []model.LabelFileBinding, keepIDs bool, override bool) error {
+	if len(bindings) == 0 {
+		return nil
+	}
+	tx := db.Begin()
+
+	if override {
+		type key struct {
+			uid  uint
+			name string
+		}
+		toDel := make(map[key]struct{}, len(bindings))
+		for i := range bindings {
+			k := key{uid: bindings[i].UserId, name: bindings[i].FileName}
+			toDel[k] = struct{}{}
+		}
+		for k := range toDel {
+			if err := tx.Where("user_id = ? AND file_name = ?", k.uid, k.name).
+				Delete(&model.LabelFileBinding{}).Error; err != nil {
+				tx.Rollback()
+				return errors.WithStack(err)
+			}
+		}
+	}
+
+	for i := range bindings {
+		b := bindings[i]
+		if !keepIDs {
+			b.ID = 0
+		}
+		if b.CreateTime.IsZero() {
+			b.CreateTime = time.Now()
+		}
+		if override {
+			if err := tx.Create(&b).Error; err != nil {
+				tx.Rollback()
+				return errors.WithStack(err)
+			}
+		} else {
+			if err := tx.Clauses(clause.OnConflict{DoNothing: true}).Create(&b).Error; err != nil {
+				tx.Rollback()
+				return errors.WithStack(err)
+			}
+		}
+	}
+
+	return errors.WithStack(tx.Commit().Error)
+}
--- a/internal/errs/driver.go
+++ b/internal/errs/driver.go
@@ -4,4 +4,5 @@ import "errors"

 var (
 	EmptyToken = errors.New("empty token")
+	LinkIsDir  = errors.New("link is dir")
 )
--- a/internal/errs/role.go
+++ b/internal/errs/role.go
@@ -3,5 +3,5 @@ package errs
 import "errors"

 var (
-	ErrChangeDefaultRole = errors.New("cannot modify admin or guest role")
+	ErrChangeDefaultRole = errors.New("cannot modify admin role")
 )
--- a/internal/model/label_file_binding.go
+++ b/internal/model/label_file_binding.go
@@ -2,7 +2,7 @@ package model

 import "time"

-type LabelFileBinDing struct {
+type LabelFileBinding struct {
 	ID         uint      `json:"id" gorm:"primaryKey"` // unique key
 	UserId     uint      `json:"user_id"`              // use to user_id
 	LabelId    uint      `json:"label_id"`             // use to label_id
--- a/internal/model/obj.go
+++ b/internal/model/obj.go
@@ -55,6 +55,21 @@ type FileStreamer interface {

 type UpdateProgress func(percentage float64)

+// Reference implementation from OpenListTeam:
+// https://github.com/OpenListTeam/OpenList/blob/a703b736c9346c483bae56905a39bc07bf781cff/internal/model/obj.go#L58
+func UpdateProgressWithRange(inner UpdateProgress, start, end float64) UpdateProgress {
+	return func(p float64) {
+		if p < 0 {
+			p = 0
+		}
+		if p > 100 {
+			p = 100
+		}
+		scaled := start + (end-start)*(p/100.0)
+		inner(scaled)
+	}
+}
+
 type URL interface {
 	URL() string
 }
--- a/internal/model/user.go
+++ b/internal/model/user.go
@@ -145,13 +145,28 @@ func (u *User) CheckPathLimit() bool {
 }

 func (u *User) JoinPath(reqPath string) (string, error) {
+	if reqPath == "/" {
+		return utils.FixAndCleanPath(u.BasePath), nil
+	}
 	path, err := utils.JoinBasePath(u.BasePath, reqPath)
 	if err != nil {
 		return "", err
 	}
-	if u.CheckPathLimit() && !utils.IsSubPath(u.BasePath, path) {
-		return "", errs.PermissionDenied
+
+	if path != "/" && u.CheckPathLimit() {
+		basePaths := GetAllBasePathsFromRoles(u)
+		match := false
+		for _, base := range basePaths {
+			if utils.IsSubPath(base, path) {
+				match = true
+				break
+			}
+		}
+		if !match {
+			return "", errs.PermissionDenied
+		}
 	}
+
 	return path, nil
 }

@@ -193,3 +208,33 @@ func (u *User) WebAuthnCredentials() []webauthn.Credential {
 func (u *User) WebAuthnIcon() string {
 	return "https://alistgo.com/logo.svg"
 }
+
+// FetchRole is used to load role details by id. It should be set by the op package
+// to avoid an import cycle between model and op.
+var FetchRole func(uint) (*Role, error)
+
+// GetAllBasePathsFromRoles returns all permission paths from user's roles
+func GetAllBasePathsFromRoles(u *User) []string {
+	basePaths := make([]string, 0)
+	seen := make(map[string]struct{})
+
+	for _, rid := range u.Role {
+		if FetchRole == nil {
+			continue
+		}
+		role, err := FetchRole(uint(rid))
+		if err != nil || role == nil {
+			continue
+		}
+		for _, entry := range role.PermissionScopes {
+			if entry.Path == "" {
+				continue
+			}
+			if _, ok := seen[entry.Path]; !ok {
+				basePaths = append(basePaths, entry.Path)
+				seen[entry.Path] = struct{}{}
+			}
+		}
+	}
+	return basePaths
+}
--- a/internal/op/label_file_binding.go
+++ b/internal/op/label_file_binding.go
@@ -23,6 +23,7 @@ type CreateLabelFileBinDingReq struct {
 	Type        int       `json:"type"`
 	HashInfoStr string    `json:"hashinfo"`
 	LabelIds    string    `json:"label_ids"`
+	LabelIDs    []uint64  `json:"labelIdList"`
 }

 type ObjLabelResp struct {
@@ -54,23 +55,29 @@ func GetLabelByFileName(userId uint, fileName string) ([]model.Label, error) {
 	return labels, nil
 }

+func GetLabelsByFileNamesPublic(fileNames []string) (map[string][]model.Label, error) {
+	return db.GetLabelsByFileNamesPublic(fileNames)
+}
+
 func CreateLabelFileBinDing(req CreateLabelFileBinDingReq, userId uint) error {
 	if err := db.DelLabelFileBinDingByFileName(userId, req.Name); err != nil {
 		return errors.WithMessage(err, "failed del label_file_bin_ding in database")
 	}
-	if req.LabelIds == "" {
+
+	ids, err := collectLabelIDs(req)
+	if err != nil {
+		return err
+	}
+	if len(ids) == 0 {
 		return nil
 	}
-	labelMap := strings.Split(req.LabelIds, ",")
-	for _, value := range labelMap {
-		labelId, err := strconv.ParseUint(value, 10, 64)
-		if err != nil {
-			return fmt.Errorf("invalid label ID '%s': %v", value, err)
-		}
-		if err = db.CreateLabelFileBinDing(req.Name, uint(labelId), userId); err != nil {
+
+	for _, id := range ids {
+		if err = db.CreateLabelFileBinDing(req.Name, uint(id), userId); err != nil {
 			return errors.WithMessage(err, "failed labels in database")
 		}
 	}
+
 	if !db.GetFileByNameExists(req.Name) {
 		objFile := model.ObjFile{
 			Id:          req.Id,
@@ -86,8 +93,7 @@ func CreateLabelFileBinDing(req CreateLabelFileBinDingReq, userId uint) error {
 			Type:        req.Type,
 			HashInfoStr: req.HashInfoStr,
 		}
-		err := db.CreateObjFile(objFile)
-		if err != nil {
+		if err := db.CreateObjFile(objFile); err != nil {
 			return errors.WithMessage(err, "failed file in database")
 		}
 	}
@@ -97,7 +103,7 @@ func CreateLabelFileBinDing(req CreateLabelFileBinDingReq, userId uint) error {
 func GetFileByLabel(userId uint, labelId string) (result []ObjLabelResp, err error) {
 	labelMap := strings.Split(labelId, ",")
 	var labelIds []uint
-	var labelsFile []model.LabelFileBinDing
+	var labelsFile []model.LabelFileBinding
 	var labels []model.Label
 	var labelsFileMap = make(map[string][]model.Label)
 	var labelsMap = make(map[uint]model.Label)
@@ -157,3 +163,33 @@ func StringSliceToUintSlice(strSlice []string) ([]uint, error) {
 	}
 	return uintSlice, nil
 }
+
+func RestoreLabelFileBindings(bindings []model.LabelFileBinding, keepIDs bool, override bool) error {
+	return db.RestoreLabelFileBindings(bindings, keepIDs, override)
+}
+
+func collectLabelIDs(req CreateLabelFileBinDingReq) ([]uint64, error) {
+	if len(req.LabelIDs) > 0 {
+		return req.LabelIDs, nil
+	}
+	s := strings.TrimSpace(req.LabelIds)
+	if s == "" {
+		return nil, nil
+	}
+	replacer := strings.NewReplacer("，", ",", "、", ",", "；", ",", ";", ",")
+	s = replacer.Replace(s)
+	parts := strings.Split(s, ",")
+	ids := make([]uint64, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+		id, err := strconv.ParseUint(p, 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("invalid label ID '%s': %v", p, err)
+		}
+		ids = append(ids, id)
+	}
+	return ids, nil
+}
--- a/internal/op/role.go
+++ b/internal/op/role.go
@@ -2,7 +2,6 @@ package op

 import (
 	"fmt"
-	"github.com/pkg/errors"
 	"time"

 	"github.com/Xhofe/go-cache"
@@ -16,6 +15,10 @@ import (
 var roleCache = cache.NewMemCache[*model.Role](cache.WithShards[*model.Role](2))
 var roleG singleflight.Group[*model.Role]

+func init() {
+	model.FetchRole = GetRole
+}
+
 func GetRole(id uint) (*model.Role, error) {
 	key := fmt.Sprint(id)
 	if r, ok := roleCache.Get(key); ok {
@@ -106,26 +109,26 @@ func UpdateRole(r *model.Role) error {
 	for i := range r.PermissionScopes {
 		r.PermissionScopes[i].Path = utils.FixAndCleanPath(r.PermissionScopes[i].Path)
 	}
-	if len(old.PermissionScopes) > 0 && len(r.PermissionScopes) > 0 &&
-		old.PermissionScopes[0].Path != r.PermissionScopes[0].Path {
-
-		oldPath := old.PermissionScopes[0].Path
-		newPath := r.PermissionScopes[0].Path
-
-		users, err := db.GetUsersByRole(int(r.ID))
-		if err != nil {
-			return errors.WithMessage(err, "failed to get users by role")
-		}
-
-		modifiedUsernames, err := db.UpdateUserBasePathPrefix(oldPath, newPath, users)
-		if err != nil {
-			return errors.WithMessage(err, "failed to update user base path when role updated")
-		}
-
-		for _, name := range modifiedUsernames {
-			userCache.Del(name)
-		}
-	}
+	//if len(old.PermissionScopes) > 0 && len(r.PermissionScopes) > 0 &&
+	//	old.PermissionScopes[0].Path != r.PermissionScopes[0].Path {
+	//
+	//	oldPath := old.PermissionScopes[0].Path
+	//	newPath := r.PermissionScopes[0].Path
+	//
+	//	users, err := db.GetUsersByRole(int(r.ID))
+	//	if err != nil {
+	//		return errors.WithMessage(err, "failed to get users by role")
+	//	}
+	//
+	//	modifiedUsernames, err := db.UpdateUserBasePathPrefix(oldPath, newPath, users)
+	//	if err != nil {
+	//		return errors.WithMessage(err, "failed to update user base path when role updated")
+	//	}
+	//
+	//	for _, name := range modifiedUsernames {
+	//		userCache.Del(name)
+	//	}
+	//}
 	roleCache.Del(fmt.Sprint(r.ID))
 	roleCache.Del(r.Name)
 	return db.UpdateRole(r)
--- a/internal/op/storage.go
+++ b/internal/op/storage.go
@@ -232,12 +232,20 @@ func UpdateStorage(ctx context.Context, storage model.Storage) error {
 			roleCache.Del(fmt.Sprint(id))
 		}

-		modifiedUsernames, err := db.UpdateUserBasePathPrefix(oldStorage.MountPath, storage.MountPath)
-		if err != nil {
-			return errors.WithMessage(err, "failed to update user base path")
-		}
-		for _, name := range modifiedUsernames {
-			userCache.Del(name)
+		//modifiedUsernames, err := db.UpdateUserBasePathPrefix(oldStorage.MountPath, storage.MountPath)
+		//if err != nil {
+		//	return errors.WithMessage(err, "failed to update user base path")
+		//}
+		for _, id := range modifiedRoleIDs {
+			roleCache.Del(fmt.Sprint(id))
+
+			users, err := db.GetUsersByRole(int(id))
+			if err != nil {
+				return errors.WithMessage(err, "failed to get users by role")
+			}
+			for _, user := range users {
+				userCache.Del(user.Username)
+			}
 		}
 	}
 	if err != nil {
--- a/internal/op/user.go
+++ b/internal/op/user.go
@@ -50,6 +50,10 @@ func GetUserByRole(role int) (*model.User, error) {
 	return db.GetUserByRole(role)
 }

+func GetUsersByRole(role int) ([]model.User, error) {
+	return db.GetUsersByRole(role)
+}
+
 func GetUserByName(username string) (*model.User, error) {
 	if username == "" {
 		return nil, errs.EmptyUsername
@@ -124,17 +128,17 @@ func UpdateUser(u *model.User) error {
 	}
 	userCache.Del(old.Username)
 	u.BasePath = utils.FixAndCleanPath(u.BasePath)
-	if len(u.Role) > 0 {
-		roles, err := GetRolesByUserID(u.ID)
-		if err == nil {
-			for _, role := range roles {
-				if len(role.PermissionScopes) > 0 {
-					u.BasePath = utils.FixAndCleanPath(role.PermissionScopes[0].Path)
-					break
-				}
-			}
-		}
-	}
+	//if len(u.Role) > 0 {
+	//	roles, err := GetRolesByUserID(u.ID)
+	//	if err == nil {
+	//		for _, role := range roles {
+	//			if len(role.PermissionScopes) > 0 {
+	//				u.BasePath = utils.FixAndCleanPath(role.PermissionScopes[0].Path)
+	//				break
+	//			}
+	//		}
+	//	}
+	//}
 	return db.UpdateUser(u)
 }

--- a/pkg/utils/path.go
+++ b/pkg/utils/path.go
@@ -88,6 +88,13 @@ func JoinBasePath(basePath, reqPath string) (string, error) {
 		strings.Contains(reqPath, "/../") {
 		return "", errs.RelativePath
 	}
+
+	reqPath = FixAndCleanPath(reqPath)
+
+	if strings.HasPrefix(reqPath, "/") {
+		return reqPath, nil
+	}
+
 	return stdpath.Join(FixAndCleanPath(basePath), FixAndCleanPath(reqPath)), nil
 }

--- a/server/common/role_perm.go
+++ b/server/common/role_perm.go
@@ -43,17 +43,23 @@ func MergeRolePermissions(u *model.User, reqPath string) int32 {
 		if err != nil {
 			continue
 		}
-		for _, entry := range role.PermissionScopes {
-			if utils.IsSubPath(entry.Path, reqPath) {
+		if reqPath == "/" || utils.PathEqual(reqPath, u.BasePath) {
+			for _, entry := range role.PermissionScopes {
 				perm |= entry.Permission
 			}
+		} else {
+			for _, entry := range role.PermissionScopes {
+				if utils.IsSubPath(entry.Path, reqPath) {
+					perm |= entry.Permission
+				}
+			}
 		}
 	}
 	return perm
 }

 func CanAccessWithRoles(u *model.User, meta *model.Meta, reqPath, password string) bool {
-	if !canReadPathByRole(u, reqPath) {
+	if !CanReadPathByRole(u, reqPath) {
 		return false
 	}
 	perm := MergeRolePermissions(u, reqPath)
@@ -78,7 +84,30 @@ func CanAccessWithRoles(u *model.User, meta *model.Meta, reqPath, password strin
 	return meta.Password == password
 }

-func canReadPathByRole(u *model.User, reqPath string) bool {
+func CanReadPathByRole(u *model.User, reqPath string) bool {
+	if u == nil {
+		return false
+	}
+	if reqPath == "/" || utils.PathEqual(reqPath, u.BasePath) {
+		return len(u.Role) > 0
+	}
+	for _, rid := range u.Role {
+		role, err := op.GetRole(uint(rid))
+		if err != nil {
+			continue
+		}
+		for _, entry := range role.PermissionScopes {
+			if utils.PathEqual(entry.Path, reqPath) || utils.IsSubPath(entry.Path, reqPath) || utils.IsSubPath(reqPath, entry.Path) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// HasChildPermission checks whether any child path under reqPath grants the
+// specified permission bit.
+func HasChildPermission(u *model.User, reqPath string, bit uint) bool {
 	if u == nil {
 		return false
 	}
@@ -88,7 +117,7 @@ func canReadPathByRole(u *model.User, reqPath string) bool {
 			continue
 		}
 		for _, entry := range role.PermissionScopes {
-			if utils.IsSubPath(entry.Path, reqPath) {
+			if utils.IsSubPath(reqPath, entry.Path) && HasPermission(entry.Permission, bit) {
 				return true
 			}
 		}
@@ -102,7 +131,7 @@ func canReadPathByRole(u *model.User, reqPath string) bool {
 func CheckPathLimitWithRoles(u *model.User, reqPath string) bool {
 	perm := MergeRolePermissions(u, reqPath)
 	if HasPermission(perm, PermPathLimit) {
-		return canReadPathByRole(u, reqPath)
+		return CanReadPathByRole(u, reqPath)
 	}
 	return true
 }
--- a/server/handles/fsread.go
+++ b/server/handles/fsread.go
@@ -107,14 +107,21 @@ func FsList(c *gin.Context) {
 		common.ErrorResp(c, err, 500)
 		return
 	}
-	total, objs := pagination(objs, &req.PageReq)
+	filtered := make([]model.Obj, 0, len(objs))
+	for _, obj := range objs {
+		childPath := stdpath.Join(reqPath, obj.GetName())
+		if common.CanReadPathByRole(user, childPath) {
+			filtered = append(filtered, obj)
+		}
+	}
+	total, objs := pagination(filtered, &req.PageReq)
 	provider := "unknown"
 	storage, err := fs.GetStorage(reqPath, &fs.GetStoragesArgs{})
 	if err == nil {
 		provider = storage.GetStorage().Driver
 	}
 	common.SuccessResp(c, FsListResp{
-		Content:  toObjsResp(objs, reqPath, isEncrypt(meta, reqPath), user.ID),
+		Content:  toObjsResp(objs, reqPath, isEncrypt(meta, reqPath)),
 		Total:    int64(total),
 		Readme:   getReadme(meta, reqPath),
 		Header:   getHeader(meta, reqPath),
@@ -161,7 +168,14 @@ func FsDirs(c *gin.Context) {
 		common.ErrorResp(c, err, 500)
 		return
 	}
-	dirs := filterDirs(objs)
+	visible := make([]model.Obj, 0, len(objs))
+	for _, obj := range objs {
+		childPath := stdpath.Join(reqPath, obj.GetName())
+		if common.CanReadPathByRole(user, childPath) {
+			visible = append(visible, obj)
+		}
+	}
+	dirs := filterDirs(visible)
 	common.SuccessResp(c, dirs)
 }

@@ -224,12 +238,22 @@ func pagination(objs []model.Obj, req *model.PageReq) (int, []model.Obj) {
 	return total, objs[start:end]
 }

-func toObjsResp(objs []model.Obj, parent string, encrypt bool, userId uint) []ObjLabelResp {
+func toObjsResp(objs []model.Obj, parent string, encrypt bool) []ObjLabelResp {
 	var resp []ObjLabelResp
+
+	names := make([]string, 0, len(objs))
+	for _, obj := range objs {
+		if !obj.IsDir() {
+			names = append(names, obj.GetName())
+		}
+	}
+
+	labelsByName, _ := op.GetLabelsByFileNamesPublic(names)
+
 	for _, obj := range objs {
 		var labels []model.Label
-		if obj.IsDir() == false {
-			labels, _ = op.GetLabelByFileName(userId, obj.GetName())
+		if !obj.IsDir() {
+			labels = labelsByName[obj.GetName()]
 		}
 		thumb, _ := model.GetThumb(obj)
 		resp = append(resp, ObjLabelResp{
@@ -369,7 +393,7 @@ func FsGet(c *gin.Context) {
 		Readme:   getReadme(meta, reqPath),
 		Header:   getHeader(meta, reqPath),
 		Provider: provider,
-		Related:  toObjsResp(related, parentPath, isEncrypt(parentMeta, parentPath), user.ID),
+		Related:  toObjsResp(related, parentPath, isEncrypt(parentMeta, parentPath)),
 	})
 }

--- a/server/handles/label_file_binding.go
+++ b/server/handles/label_file_binding.go
@@ -8,7 +8,9 @@ import (
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
+	"net/url"
 	"strconv"
+	"strings"
 )

 type DelLabelFileBinDingReq struct {
@@ -16,18 +18,36 @@ type DelLabelFileBinDingReq struct {
 	LabelId  string `json:"label_id"`
 }

+type pageResp[T any] struct {
+	Content []T   `json:"content"`
+	Total   int64 `json:"total"`
+}
+
+type restoreLabelBindingsReq struct {
+	KeepIDs  bool                     `json:"keep_ids"`
+	Override bool                     `json:"override"`
+	Bindings []model.LabelFileBinding `json:"bindings"`
+}
+
 func GetLabelByFileName(c *gin.Context) {
 	fileName := c.Query("file_name")
 	if fileName == "" {
 		common.ErrorResp(c, errors.New("file_name must not empty"), 400)
 		return
 	}
+	decodedFileName, err := url.QueryUnescape(fileName)
+	if err != nil {
+		common.ErrorResp(c, errors.New("invalid file_name"), 400)
+		return
+	}
+	fmt.Println(">>> 原始 fileName:", fileName)
+	fmt.Println(">>> 解码后 fileName:", decodedFileName)
 	userObj, ok := c.Value("user").(*model.User)
 	if !ok {
 		common.ErrorStrResp(c, "user invalid", 401)
 		return
 	}
-	labels, err := op.GetLabelByFileName(userObj.ID, fileName)
+	labels, err := op.GetLabelByFileName(userObj.ID, decodedFileName)
 	if err != nil {
 		common.ErrorResp(c, err, 500, true)
 		return
@@ -101,3 +121,130 @@ func GetFileByLabel(c *gin.Context) {
 	}
 	common.SuccessResp(c, fileList)
 }
+
+func ListLabelFileBinding(c *gin.Context) {
+	userObj, ok := c.Value("user").(*model.User)
+	if !ok {
+		common.ErrorStrResp(c, "user invalid", 401)
+		return
+	}
+
+	pageStr := c.DefaultQuery("page", "1")
+	sizeStr := c.DefaultQuery("page_size", "50")
+	page, err := strconv.Atoi(pageStr)
+	if err != nil || page <= 0 {
+		page = 1
+	}
+	pageSize, err := strconv.Atoi(sizeStr)
+	if err != nil || pageSize <= 0 || pageSize > 200 {
+		pageSize = 50
+	}
+
+	fileName := c.Query("file_name")
+	labelIDStr := c.Query("label_id")
+	var labelIDs []uint
+	if labelIDStr != "" {
+		parts := strings.Split(labelIDStr, ",")
+		for _, p := range parts {
+			if p == "" {
+				continue
+			}
+			id64, err := strconv.ParseUint(strings.TrimSpace(p), 10, 64)
+			if err != nil {
+				common.ErrorResp(c, fmt.Errorf("invalid label_id '%s': %v", p, err), 400)
+				return
+			}
+			labelIDs = append(labelIDs, uint(id64))
+		}
+	}
+
+	list, total, err := db.ListLabelFileBinDing(userObj.ID, labelIDs, fileName, page, pageSize)
+	if err != nil {
+		common.ErrorResp(c, err, 500, true)
+		return
+	}
+	common.SuccessResp(c, pageResp[model.LabelFileBinding]{
+		Content: list,
+		Total:   total,
+	})
+}
+
+func RestoreLabelFileBinding(c *gin.Context) {
+	var req restoreLabelBindingsReq
+	if err := c.ShouldBindJSON(&req); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	if len(req.Bindings) == 0 {
+		common.ErrorStrResp(c, "empty bindings", 400)
+		return
+	}
+
+	if u, ok := c.Value("user").(*model.User); ok {
+		for i := range req.Bindings {
+			if req.Bindings[i].UserId == 0 {
+				req.Bindings[i].UserId = u.ID
+			}
+		}
+	}
+
+	for i := range req.Bindings {
+		b := req.Bindings[i]
+		if b.UserId == 0 || b.LabelId == 0 || strings.TrimSpace(b.FileName) == "" {
+			common.ErrorStrResp(c, "invalid binding: user_id/label_id/file_name required", 400)
+			return
+		}
+	}
+
+	if err := op.RestoreLabelFileBindings(req.Bindings, req.KeepIDs, req.Override); err != nil {
+		common.ErrorResp(c, err, 500, true)
+		return
+	}
+	common.SuccessResp(c, gin.H{
+		"msg": fmt.Sprintf("restored %d rows", len(req.Bindings)),
+	})
+}
+
+func CreateLabelFileBinDingBatch(c *gin.Context) {
+	var req struct {
+		Items []op.CreateLabelFileBinDingReq `json:"items" binding:"required"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil || len(req.Items) == 0 {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+
+	userObj, ok := c.Value("user").(*model.User)
+	if !ok {
+		common.ErrorStrResp(c, "user invalid", 401)
+		return
+	}
+
+	type perResult struct {
+		Name   string `json:"name"`
+		Ok     bool   `json:"ok"`
+		ErrMsg string `json:"errMsg,omitempty"`
+	}
+	results := make([]perResult, 0, len(req.Items))
+	succeed := 0
+
+	for _, item := range req.Items {
+		if item.IsDir {
+			results = append(results, perResult{Name: item.Name, Ok: false, ErrMsg: "Unable to bind folder"})
+			continue
+		}
+		if err := op.CreateLabelFileBinDing(item, userObj.ID); err != nil {
+			results = append(results, perResult{Name: item.Name, Ok: false, ErrMsg: err.Error()})
+			continue
+		}
+		succeed++
+		results = append(results, perResult{Name: item.Name, Ok: true})
+	}
+
+	common.SuccessResp(c, gin.H{
+		"total":   len(req.Items),
+		"succeed": succeed,
+		"failed":  len(req.Items) - succeed,
+		"results": results,
+	})
+}
--- a/server/handles/user.go
+++ b/server/handles/user.go
@@ -67,10 +67,10 @@ func UpdateUser(c *gin.Context) {
 			common.ErrorStrResp(c, "cannot change role of admin user", 403)
 			return
 		}
-		if user.Username != req.Username {
-			common.ErrorStrResp(c, "cannot change username of admin user", 403)
-			return
-		}
+		//if user.Username != req.Username {
+		//	common.ErrorStrResp(c, "cannot change username of admin user", 403)
+		//	return
+		//}
 	}

 	if req.Password == "" {
--- a/server/router.go
+++ b/server/router.go
@@ -92,6 +92,8 @@ func Init(e *gin.Engine) {

 	_fs(auth.Group("/fs"))
 	_task(auth.Group("/task", middlewares.AuthNotGuest))
+	_label(auth.Group("/label"))
+	_labelFileBinding(auth.Group("/label_file_binding"))
 	admin(auth.Group("/admin", middlewares.AuthAdmin))
 	if flags.Debug || flags.Dev {
 		debug(g.Group("/debug"))
@@ -170,17 +172,17 @@ func admin(g *gin.RouterGroup) {
 	index.GET("/progress", middlewares.SearchIndex, handles.GetProgress)

 	label := g.Group("/label")
-	label.GET("/list", handles.ListLabel)
-	label.GET("/get", handles.GetLabel)
 	label.POST("/create", handles.CreateLabel)
 	label.POST("/update", handles.UpdateLabel)
 	label.POST("/delete", handles.DeleteLabel)

 	labelFileBinding := g.Group("/label_file_binding")
-	labelFileBinding.GET("/get", handles.GetLabelByFileName)
-	labelFileBinding.GET("/get_file_by_label", handles.GetFileByLabel)
+	labelFileBinding.GET("/list", handles.ListLabelFileBinding)
 	labelFileBinding.POST("/create", handles.CreateLabelFileBinDing)
+	labelFileBinding.POST("/create_batch", handles.CreateLabelFileBinDingBatch)
 	labelFileBinding.POST("/delete", handles.DelLabelByFileName)
+	labelFileBinding.POST("/restore", handles.RestoreLabelFileBinding)
+
 }

 func _fs(g *gin.RouterGroup) {
@@ -216,6 +218,16 @@ func _task(g *gin.RouterGroup) {
 	handles.SetupTaskRoute(g)
 }

+func _label(g *gin.RouterGroup) {
+	g.GET("/list", handles.ListLabel)
+	g.GET("/get", handles.GetLabel)
+}
+
+func _labelFileBinding(g *gin.RouterGroup) {
+	g.GET("/get", handles.GetLabelByFileName)
+	g.GET("/get_file_by_label", handles.GetFileByLabel)
+}
+
 func Cors(r *gin.Engine) {
 	config := cors.DefaultConfig()
 	// config.AllowAllOrigins = true
--- a/server/webdav.go
+++ b/server/webdav.go
@@ -95,6 +95,9 @@ func WebDAVAuth(c *gin.Context) {
 		c.Abort()
 		return
 	}
+	if roles, err := op.GetRolesByUserID(user.ID); err == nil {
+		user.RolesDetail = roles
+	}
 	reqPath := c.Param("path")
 	if reqPath == "" {
 		reqPath = "/"
@@ -107,7 +110,8 @@ func WebDAVAuth(c *gin.Context) {
 		return
 	}
 	perm := common.MergeRolePermissions(user, reqPath)
-	if user.Disabled || !common.HasPermission(perm, common.PermWebdavRead) {
+	webdavRead := common.HasPermission(perm, common.PermWebdavRead)
+	if user.Disabled || (!webdavRead && (c.Request.Method != "PROPFIND" || !common.HasChildPermission(user, reqPath, common.PermWebdavRead))) {
 		if c.Request.Method == "OPTIONS" {
 			c.Set("user", guest)
 			c.Next()
--- a/server/webdav/file.go
+++ b/server/webdav/file.go
@@ -94,6 +94,7 @@ func walkFS(ctx context.Context, depth int, name string, info model.Obj, walkFn
 		depth = 0
 	}
 	meta, _ := op.GetNearestMeta(name)
+	user := ctx.Value("user").(*model.User)
 	// Read directory names.
 	objs, err := fs.List(context.WithValue(ctx, "meta", meta), name, &fs.ListArgs{})
 	//f, err := fs.OpenFile(ctx, name, os.O_RDONLY, 0)
@@ -108,6 +109,9 @@ func walkFS(ctx context.Context, depth int, name string, info model.Obj, walkFn

 	for _, fileInfo := range objs {
 		filename := path.Join(name, fileInfo.GetName())
+		if !common.CanReadPathByRole(user, filename) {
+			continue
+		}
 		if err != nil {
 			if err := walkFn(filename, fileInfo, err); err != nil && err != filepath.SkipDir {
 				return err
--- a/server/webdav/webdav.go
+++ b/server/webdav/webdav.go
@@ -648,6 +648,98 @@ func (h *Handler) handlePropfind(w http.ResponseWriter, r *http.Request) (status

 	mw := multistatusWriter{w: w}

+	if utils.PathEqual(reqPath, user.BasePath) {
+		hasRootPerm := false
+		for _, role := range user.RolesDetail {
+			for _, entry := range role.PermissionScopes {
+				if utils.PathEqual(entry.Path, user.BasePath) {
+					hasRootPerm = true
+					break
+				}
+			}
+			if hasRootPerm {
+				break
+			}
+		}
+		if !hasRootPerm {
+			basePaths := model.GetAllBasePathsFromRoles(user)
+			type infoItem struct {
+				path string
+				info model.Obj
+			}
+			infos := []infoItem{{reqPath, fi}}
+			seen := make(map[string]struct{})
+			for _, p := range basePaths {
+				if !utils.IsSubPath(user.BasePath, p) {
+					continue
+				}
+				rel := strings.TrimPrefix(
+					strings.TrimPrefix(
+						utils.FixAndCleanPath(p),
+						utils.FixAndCleanPath(user.BasePath),
+					),
+					"/",
+				)
+				dir := strings.Split(rel, "/")[0]
+				if dir == "" {
+					continue
+				}
+				if _, ok := seen[dir]; ok {
+					continue
+				}
+				seen[dir] = struct{}{}
+				sp := utils.FixAndCleanPath(path.Join(user.BasePath, dir))
+				info, err := fs.Get(ctx, sp, &fs.GetArgs{})
+				if err != nil {
+					continue
+				}
+				infos = append(infos, infoItem{sp, info})
+			}
+			for _, item := range infos {
+				var pstats []Propstat
+				if pf.Propname != nil {
+					pnames, err := propnames(ctx, h.LockSystem, item.info)
+					if err != nil {
+						return http.StatusInternalServerError, err
+					}
+					pstat := Propstat{Status: http.StatusOK}
+					for _, xmlname := range pnames {
+						pstat.Props = append(pstat.Props, Property{XMLName: xmlname})
+					}
+					pstats = append(pstats, pstat)
+				} else if pf.Allprop != nil {
+					pstats, err = allprop(ctx, h.LockSystem, item.info, pf.Prop)
+					if err != nil {
+						return http.StatusInternalServerError, err
+					}
+				} else {
+					pstats, err = props(ctx, h.LockSystem, item.info, pf.Prop)
+					if err != nil {
+						return http.StatusInternalServerError, err
+					}
+				}
+				rel := strings.TrimPrefix(
+					strings.TrimPrefix(
+						utils.FixAndCleanPath(item.path),
+						utils.FixAndCleanPath(user.BasePath),
+					),
+					"/",
+				)
+				href := utils.EncodePath(path.Join("/", h.Prefix, rel), true)
+				if href != "/" && item.info.IsDir() {
+					href += "/"
+				}
+				if err := mw.write(makePropstatResponse(href, pstats)); err != nil {
+					return http.StatusInternalServerError, err
+				}
+			}
+			if err := mw.close(); err != nil {
+				return http.StatusInternalServerError, err
+			}
+			return 0, nil
+		}
+	}
+
 	walkFn := func(reqPath string, info model.Obj, err error) error {
 		if err != nil {
 			return err
@@ -671,7 +763,14 @@ func (h *Handler) handlePropfind(w http.ResponseWriter, r *http.Request) (status
 		if err != nil {
 			return err
 		}
-		href := path.Join(h.Prefix, strings.TrimPrefix(reqPath, user.BasePath))
+		rel := strings.TrimPrefix(
+			strings.TrimPrefix(
+				utils.FixAndCleanPath(reqPath),
+				utils.FixAndCleanPath(user.BasePath),
+			),
+			"/",
+		)
+		href := utils.EncodePath(path.Join("/", h.Prefix, rel), true)
 		if href != "/" && info.IsDir() {
 			href += "/"
 		}
Author	SHA1	Message	Date
千石	fcfb3369d1	fix: webdav error location (#9266 ) * feat: improve WebDAV permission handling and user role fetching - Added logic to handle root permissions in WebDAV requests. - Improved the user role fetching mechanism. - Enhanced path checks and permission scopes in role_perm.go. - Set FetchRole function to avoid import cycles between modules. * fix(webdav): resolve connection reset issue by encoding paths - Adjust path encoding in webdav.go to prevent connection reset. - Utilize utils.EncodePath for correct path formatting. - Ensure proper handling of directory paths with trailing slash. * fix(webdav): resolve connection reset issue by encoding paths - Adjust path encoding in webdav.go to prevent connection reset. - Utilize utils.FixAndCleanPath for correct path formatting. - Ensure proper handling of directory paths with trailing slash. * fix: resolve webdav handshake error in permission checks - Updated role permission logic to handle bidirectional subpaths. - This adjustment fixes the issue where remote host terminates the handshake due to improper path matching. * fix: resolve webdav handshake error in permission checks (fix/fix-webdav-error) - Updated role permission logic to handle bidirectional subpaths, fixing handshake termination by remote host due to path mismatch. - Refactored function naming for consistency and clarity. - Enhanced filtering of objects based on user permissions. * fix: resolve webdav handshake error in permission checks - Updated role permission logic to handle bidirectional subpaths, fixing handshake termination by remote host due to path mismatch. - Refactored function naming for consistency and clarity. - Enhanced filtering of objects based on user permissions.	2025-08-15 23:10:55 +08:00
千石	aea3ba1499	feat: add tag backup and fix bugs (#9265 ) * feat(label): enhance label file binding and router setup (feat/add-tag-backup) - Add `GetLabelsByFileNamesPublic` to retrieve labels using file names. - Refactor router setup for label and file binding routes. - Improve `toObjsResp` for efficient label retrieval by file names. - Comment out unnecessary user ID parameter in `toObjsResp`. * feat(label): enhance label file binding and router setup - Add `GetLabelsByFileNamesPublic` for label retrieval by file names. - Refactor router setup for label and file binding routes. - Improve `toObjsResp` for efficient label retrieval by file names. - Comment out unnecessary user ID parameter in `toObjsResp`. * refactor(db): comment out debug print in GetLabelIds (#feat/add-tag-backup) - Comment out debug print statement in GetLabelIds to clean up logs. - Enhance code readability by removing unnecessary debug output. * feat(label-file-binding): add batch creation and improve label ID handling - Introduced `CreateLabelFileBinDingBatch` API for batch label binding. - Added `collectLabelIDs` helper function to handle label ID parsing. - Enhanced label ID handling to support varied delimiters and input formats. - Refactored `CreateLabelFileBinDing` logic for improved code readability. - Updated router to include `POST /label_file_binding/create_batch`.	2025-08-15 23:09:00 +08:00
千石	6b2d81eede	feat(user): enhance path management and role handling (#9249 ) - Add `GetUsersByRole` function for fetching users by role. - Introduce `GetAllBasePathsFromRoles` to aggregate paths from roles. - Refine path handling in `pkg/utils/path.go` for normalization. - Comment out base path prefix updates to simplify role operations.	2025-08-06 16:31:36 +08:00
千石	85fe4e5bb3	feat(alist_v3): add IntSlice type for JSON unmarshalling (#9247 ) - Add `IntSlice` type to handle both single int and array in JSON. - Modify `MeResp` struct to use `IntSlice` for `Role` field. - Import `encoding/json` for JSON operations.	2025-08-04 12:02:45 +08:00
千石	52da07e8a7	feat(123_open): add new driver support for 123 Open (#9246 ) - Implement new driver for 123 Open service, enabling file operations such as listing, uploading, moving, and removing files. - Introduce token management for authentication and authorization. - Add API integration for various file operations and actions. - Include utility functions for handling API requests and responses. - Register the new driver in the existing drivers' list.	2025-08-04 11:56:57 +08:00
Sky_slience	46de9e9ebb	fix(driver): 123 download and modify request headers on the frontend (#9236 ) Co-authored-by: Sky_slience <Skyslience@spdzy.com>	2025-08-03 20:00:09 +08:00
千石	ae90fb579b	feat(log): enhance log formatter to respect NO_COLOR env variable (#9239 ) - Adjust log formatter to disable colors when NO_COLOR or ALIST_NO_COLOR environment variables are set. - Reorganize formatter settings for better readability.	2025-08-03 09:26:23 +08:00
Sky_slience	394a18cbd9	Fix 123 download (#9235 ) * fix(driver): handle additional HTTP status code 210 for URL redirection * fix(driver): 123 download url error --------- Co-authored-by: Sky_slience <Skyslience@spdzy.com>	2025-07-30 16:55:32 +08:00