fix(permission): enhance the strictness of permissions (#7705 close #7680)

* fix(permission): enhance the strictness of permissions * fix: add initial permissions to admin
2024-12-25 21:17:58 +08:00
parent 5ecf5e823c
commit 48916cdedf
4 changed files with 57 additions and 33 deletions
--- a/internal/bootstrap/data/user.go
+++ b/internal/bootstrap/data/user.go
@ -26,12 +26,13 @@ func initUser() {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			salt := random.String(16)
 			admin = &model.User{
-				Username: "admin",
-				Salt:     salt,
-				PwdHash:  model.TwoHashPwd(adminPassword, salt),
-				Role:     model.ADMIN,
-				BasePath: "/",
-				Authn:    "[]",
+				Username:   "admin",
+				Salt:       salt,
+				PwdHash:    model.TwoHashPwd(adminPassword, salt),
+				Role:       model.ADMIN,
+				BasePath:   "/",
+				Authn:      "[]",
+				Permission: 0xFF, // 0(can see hidden) - 7(can remove)
 			}
 			if err := op.CreateUser(admin); err != nil {
 				panic(err)
--- a/internal/model/user.go
+++ b/internal/model/user.go
@ -32,16 +32,18 @@ type User struct {
 	Role     int    `json:"role"`                                      // user's role
 	Disabled bool   `json:"disabled"`
 	// Determine permissions by bit
-	//   0: can see hidden files
-	//   1: can access without password
-	//   2: can add offline download tasks
-	//   3: can mkdir and upload
-	//   4: can rename
-	//   5: can move
-	//   6: can copy
-	//   7: can remove
-	//   8: webdav read
-	//   9: webdav write
+	//   0:  can see hidden files
+	//   1:  can access without password
+	//   2:  can add offline download tasks
+	//   3:  can mkdir and upload
+	//   4:  can rename
+	//   5:  can move
+	//   6:  can copy
+	//   7:  can remove
+	//   8:  webdav read
+	//   9:  webdav write
+	//   10: ftp/sftp login and read
+	//   11: ftp/sftp write
 	Permission int32  `json:"permission"`
 	OtpSecret  string `json:"-"`
 	SsoID      string `json:"sso_id"` // unique by sso platform
@ -78,43 +80,43 @@ func (u *User) SetPassword(pwd string) *User {
 }

 func (u *User) CanSeeHides() bool {
-	return u.IsAdmin() || u.Permission&1 == 1
+	return u.Permission&1 == 1
 }

 func (u *User) CanAccessWithoutPassword() bool {
-	return u.IsAdmin() || (u.Permission>>1)&1 == 1
+	return (u.Permission>>1)&1 == 1
 }

 func (u *User) CanAddOfflineDownloadTasks() bool {
-	return u.IsAdmin() || (u.Permission>>2)&1 == 1
+	return (u.Permission>>2)&1 == 1
 }

 func (u *User) CanWrite() bool {
-	return u.IsAdmin() || (u.Permission>>3)&1 == 1
+	return (u.Permission>>3)&1 == 1
 }

 func (u *User) CanRename() bool {
-	return u.IsAdmin() || (u.Permission>>4)&1 == 1
+	return (u.Permission>>4)&1 == 1
 }

 func (u *User) CanMove() bool {
-	return u.IsAdmin() || (u.Permission>>5)&1 == 1
+	return (u.Permission>>5)&1 == 1
 }

 func (u *User) CanCopy() bool {
-	return u.IsAdmin() || (u.Permission>>6)&1 == 1
+	return (u.Permission>>6)&1 == 1
 }

 func (u *User) CanRemove() bool {
-	return u.IsAdmin() || (u.Permission>>7)&1 == 1
+	return (u.Permission>>7)&1 == 1
 }

 func (u *User) CanWebdavRead() bool {
-	return u.IsAdmin() || (u.Permission>>8)&1 == 1
+	return (u.Permission>>8)&1 == 1
 }

 func (u *User) CanWebdavManage() bool {
-	return u.IsAdmin() || (u.Permission>>9)&1 == 1
+	return (u.Permission>>9)&1 == 1
 }

 func (u *User) CanFTPAccess() bool {