fix(permission): enhance the strictness of permissions (#7705 close #7680)

* fix(permission): enhance the strictness of permissions * fix: add initial permissions to admin
2024-12-25 21:17:58 +08:00
parent 5ecf5e823c
commit 48916cdedf
4 changed files with 57 additions and 33 deletions
--- a/server/webdav/file.go
+++ b/server/webdav/file.go
@ -33,6 +33,13 @@ func moveFiles(ctx context.Context, src, dst string, overwrite bool) (status int
 	dstDir := path.Dir(dst)
 	srcName := path.Base(src)
 	dstName := path.Base(dst)
+	user := ctx.Value("user").(*model.User)
+	if srcDir != dstDir && !user.CanMove() {
+		return http.StatusForbidden, nil
+	}
+	if srcName != dstName && !user.CanRename() {
+		return http.StatusForbidden, nil
+	}
 	if srcDir == dstDir {
 		err = fs.Rename(ctx, src, dstName)
 	} else {