ProjectHentai/alist
6
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(permission): enhance the strictness of permissions (#7705 close #7680)

Browse Source 
* fix(permission): enhance the strictness of permissions

* fix: add initial permissions to admin
This commit is contained in:
KirCute_ECT
2024-12-25 21:17:58 +08:00
committed by GitHub
parent 5ecf5e823c
commit 48916cdedf
4 changed files with 57 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
server/webdav.go
View File

@ -11,7 +11,6 @@ import (
"github.com/alist-org/alist/v3/internal/model"
"github.com/alist-org/alist/v3/internal/op"
"github.com/alist-org/alist/v3/internal/setting"
"github.com/alist-org/alist/v3/pkg/utils"
"github.com/alist-org/alist/v3/server/webdav"
"github.com/gin-gonic/gin"
log "github.com/sirupsen/logrus"
@ -99,12 +98,27 @@ func WebDAVAuth(c *gin.Context) {
c.Abort()
return
}
if !user.CanWebdavManage() && utils.SliceContains([]string{"PUT", "DELETE", "PROPPATCH", "MKCOL", "COPY", "MOVE"}, c.Request.Method) {
if c.Request.Method == "OPTIONS" {
c.Set("user", guest)
c.Next()
return
}
if (c.Request.Method == "PUT" || c.Request.Method == "MKCOL") && (!user.CanWebdavManage() || !user.CanWrite()) {
c.Status(http.StatusForbidden)
c.Abort()
return
}
if c.Request.Method == "MOVE" && (!user.CanWebdavManage() || (!user.CanMove() && !user.CanRename())) {
c.Status(http.StatusForbidden)
c.Abort()
return
}
if c.Request.Method == "COPY" && (!user.CanWebdavManage() || !user.CanCopy()) {
c.Status(http.StatusForbidden)
c.Abort()
return
}
if c.Request.Method == "DELETE" && (!user.CanWebdavManage() || !user.CanRemove()) {
c.Status(http.StatusForbidden)
c.Abort()
return
}
if c.Request.Method == "PROPPATCH" && !user.CanWebdavManage() {
c.Status(http.StatusForbidden)
c.Abort()
return

7
server/webdav/file.go
View File

@ -33,6 +33,13 @@ func moveFiles(ctx context.Context, src, dst string, overwrite bool) (status int
dstDir := path.Dir(dst)
srcName := path.Base(src)
dstName := path.Base(dst)
user := ctx.Value("user").(*model.User)
if srcDir != dstDir && !user.CanMove() {
return http.StatusForbidden, nil
}
if srcName != dstName && !user.CanRename() {
return http.StatusForbidden, nil
}
if srcDir == dstDir {
err = fs.Rename(ctx, src, dstName)
} else {