feat: support general users view and cancel own tasks (#7416 close #7398)

* feat: support general users view and cancel own tasks

Add a creator attribute to the upload, copy and offline download
tasks, so that a GENERAL task creator can view and cancel them.

BREAKING CHANGE:

1. A new internal package `task` including the struct `TaskWithCreator`
   which embeds `tache.Base` is created, and the past dependence on
   `tache.Task` will all be transferred to dependence on this package.
2. The API `/admin/task` can now also be accessed via `/task`, and the
   old endpoint is retained to ensure compatibility with legacy
   automation scripts.

Closes #7398

* fix(deps): update github.com/xhofe/tache to v0.1.3

server/handles/fsmanage.go

@@ -2,7 +2,7 @@ package handles
 
 import (
 	"fmt"
-	"github.com/xhofe/tache"
+	"github.com/alist-org/alist/v3/internal/task"
 	"io"
 	stdpath "path"
 
@@ -121,7 +121,7 @@ func FsCopy(c *gin.Context) {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	var addedTasks []tache.TaskWithInfo
+	var addedTasks []task.TaskInfoWithCreator
 	for i, name := range req.Names {
 		t, err := fs.Copy(c, stdpath.Join(srcDir, name), dstDir, len(req.Names) > i+1)
 		if t != nil {

server/handles/fsup.go

@@ -1,17 +1,16 @@
 package handles
 
 import (
-	"github.com/xhofe/tache"
+	"github.com/alist-org/alist/v3/internal/task"
 	"io"
 	"net/url"
 	stdpath "path"
 	"strconv"
 	"time"
 
-	"github.com/alist-org/alist/v3/internal/stream"
-
 	"github.com/alist-org/alist/v3/internal/fs"
 	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/stream"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
 )
@@ -58,9 +57,9 @@ func FsStream(c *gin.Context) {
 		Mimetype:     c.GetHeader("Content-Type"),
 		WebPutAsTask: asTask,
 	}
-	var t tache.TaskWithInfo
+	var t task.TaskInfoWithCreator
 	if asTask {
-		t, err = fs.PutAsTask(dir, s)
+		t, err = fs.PutAsTask(c, dir, s)
 	} else {
 		err = fs.PutDirectly(c, dir, s, true)
 	}
@@ -123,12 +122,12 @@ func FsForm(c *gin.Context) {
 		Mimetype:     file.Header.Get("Content-Type"),
 		WebPutAsTask: asTask,
 	}
-	var t tache.TaskWithInfo
+	var t task.TaskInfoWithCreator
 	if asTask {
 		s.Reader = struct {
 			io.Reader
 		}{f}
-		t, err = fs.PutAsTask(dir, &s)
+		t, err = fs.PutAsTask(c, dir, &s)
 	} else {
 		ss, err := stream.NewSeekableStream(s, nil)
 		if err != nil {

server/handles/offline_download.go

@@ -5,9 +5,9 @@ import (
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/offline_download/tool"
 	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/internal/task"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
-	"github.com/xhofe/tache"
 )
 
 type SetAria2Req struct {
@@ -133,7 +133,7 @@ func AddOfflineDownload(c *gin.Context) {
 		common.ErrorResp(c, err, 403)
 		return
 	}
-	var tasks []tache.TaskWithInfo
+	var tasks []task.TaskInfoWithCreator
 	for _, url := range req.Urls {
 		t, err := tool.AddURL(c, &tool.AddURLArgs{
 			URL:          url,

server/handles/task.go

@@ -1,6 +1,8 @@
 package handles
 
 import (
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/task"
 	"math"
 
 	"github.com/alist-org/alist/v3/internal/fs"
@@ -12,15 +14,17 @@ import (
 )
 
 type TaskInfo struct {
-	ID       string      `json:"id"`
-	Name     string      `json:"name"`
-	State    tache.State `json:"state"`
-	Status   string      `json:"status"`
-	Progress float64     `json:"progress"`
-	Error    string      `json:"error"`
+	ID          string      `json:"id"`
+	Name        string      `json:"name"`
+	Creator     string      `json:"creator"`
+	CreatorRole int         `json:"creator_role"`
+	State       tache.State `json:"state"`
+	Status      string      `json:"status"`
+	Progress    float64     `json:"progress"`
+	Error       string      `json:"error"`
 }
 
-func getTaskInfo[T tache.TaskWithInfo](task T) TaskInfo {
+func getTaskInfo[T task.TaskInfoWithCreator](task T) TaskInfo {
 	errMsg := ""
 	if task.GetErr() != nil {
 		errMsg = task.GetErr().Error()
@@ -30,62 +34,142 @@ func getTaskInfo[T tache.TaskWithInfo](task T) TaskInfo {
 	if math.IsNaN(progress) {
 		progress = 100
 	}
+	creatorName := ""
+	creatorRole := -1
+	if task.GetCreator() != nil {
+		creatorName = task.GetCreator().Username
+		creatorRole = task.GetCreator().Role
+	}
 	return TaskInfo{
-		ID:       task.GetID(),
-		Name:     task.GetName(),
-		State:    task.GetState(),
-		Status:   task.GetStatus(),
-		Progress: progress,
-		Error:    errMsg,
+		ID:          task.GetID(),
+		Name:        task.GetName(),
+		Creator:     creatorName,
+		CreatorRole: creatorRole,
+		State:       task.GetState(),
+		Status:      task.GetStatus(),
+		Progress:    progress,
+		Error:       errMsg,
 	}
 }
 
-func getTaskInfos[T tache.TaskWithInfo](tasks []T) []TaskInfo {
+func getTaskInfos[T task.TaskInfoWithCreator](tasks []T) []TaskInfo {
 	return utils.MustSliceConvert(tasks, getTaskInfo[T])
 }
 
-func taskRoute[T tache.TaskWithInfo](g *gin.RouterGroup, manager *tache.Manager[T]) {
-	g.GET("/undone", func(c *gin.Context) {
-		common.SuccessResp(c, getTaskInfos(manager.GetByState(tache.StatePending, tache.StateRunning,
-			tache.StateCanceling, tache.StateErrored, tache.StateFailing, tache.StateWaitingRetry, tache.StateBeforeRetry)))
-	})
-	g.GET("/done", func(c *gin.Context) {
-		common.SuccessResp(c, getTaskInfos(manager.GetByState(tache.StateCanceled, tache.StateFailed, tache.StateSucceeded)))
-	})
-	g.POST("/info", func(c *gin.Context) {
-		tid := c.Query("tid")
-		task, ok := manager.GetByID(tid)
+func argsContains[T comparable](v T, slice ...T) bool {
+	return utils.SliceContains(slice, v)
+}
+
+func getUserInfo(c *gin.Context) (bool, uint, bool) {
+	if user, ok := c.Value("user").(*model.User); ok {
+		return user.IsAdmin(), user.ID, true
+	} else {
+		return false, 0, false
+	}
+}
+
+func getTargetedHandler[T task.TaskInfoWithCreator](manager *tache.Manager[T], callback func(c *gin.Context, task T)) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		isAdmin, uid, ok := getUserInfo(c)
+		if !ok {
+			// if there is no bug, here is unreachable
+			common.ErrorStrResp(c, "user invalid", 401)
+			return
+		}
+		t, ok := manager.GetByID(c.Query("tid"))
 		if !ok {
 			common.ErrorStrResp(c, "task not found", 404)
 			return
 		}
+		if !isAdmin && uid != t.GetCreator().ID {
+			// to avoid an attacker using error messages to guess valid TID, return a 404 rather than a 403
+			common.ErrorStrResp(c, "task not found", 404)
+			return
+		}
+		callback(c, t)
+	}
+}
+
+func taskRoute[T task.TaskInfoWithCreator](g *gin.RouterGroup, manager *tache.Manager[T]) {
+	g.GET("/undone", func(c *gin.Context) {
+		isAdmin, uid, ok := getUserInfo(c)
+		if !ok {
+			// if there is no bug, here is unreachable
+			common.ErrorStrResp(c, "user invalid", 401)
+			return
+		}
+		common.SuccessResp(c, getTaskInfos(manager.GetByCondition(func(task T) bool {
+			// avoid directly passing the user object into the function to reduce closure size
+			return (isAdmin || uid == task.GetCreator().ID) &&
+				argsContains(task.GetState(), tache.StatePending, tache.StateRunning, tache.StateCanceling,
+					tache.StateErrored, tache.StateFailing, tache.StateWaitingRetry, tache.StateBeforeRetry)
+		})))
+	})
+	g.GET("/done", func(c *gin.Context) {
+		isAdmin, uid, ok := getUserInfo(c)
+		if !ok {
+			// if there is no bug, here is unreachable
+			common.ErrorStrResp(c, "user invalid", 401)
+			return
+		}
+		common.SuccessResp(c, getTaskInfos(manager.GetByCondition(func(task T) bool {
+			return (isAdmin || uid == task.GetCreator().ID) &&
+				argsContains(task.GetState(), tache.StateCanceled, tache.StateFailed, tache.StateSucceeded)
+		})))
+	})
+	g.POST("/info", getTargetedHandler(manager, func(c *gin.Context, task T) {
 		common.SuccessResp(c, getTaskInfo(task))
-	})
-	g.POST("/cancel", func(c *gin.Context) {
-		tid := c.Query("tid")
-		manager.Cancel(tid)
+	}))
+	g.POST("/cancel", getTargetedHandler(manager, func(c *gin.Context, task T) {
+		manager.Cancel(task.GetID())
 		common.SuccessResp(c)
-	})
-	g.POST("/delete", func(c *gin.Context) {
-		tid := c.Query("tid")
-		manager.Remove(tid)
+	}))
+	g.POST("/delete", getTargetedHandler(manager, func(c *gin.Context, task T) {
+		manager.Remove(task.GetID())
 		common.SuccessResp(c)
-	})
-	g.POST("/retry", func(c *gin.Context) {
-		tid := c.Query("tid")
-		manager.Retry(tid)
+	}))
+	g.POST("/retry", getTargetedHandler(manager, func(c *gin.Context, task T) {
+		manager.Retry(task.GetID())
 		common.SuccessResp(c)
-	})
+	}))
 	g.POST("/clear_done", func(c *gin.Context) {
-		manager.RemoveByState(tache.StateCanceled, tache.StateFailed, tache.StateSucceeded)
+		isAdmin, uid, ok := getUserInfo(c)
+		if !ok {
+			// if there is no bug, here is unreachable
+			common.ErrorStrResp(c, "user invalid", 401)
+			return
+		}
+		manager.RemoveByCondition(func(task T) bool {
+			return (isAdmin || uid == task.GetCreator().ID) &&
+				argsContains(task.GetState(), tache.StateCanceled, tache.StateFailed, tache.StateSucceeded)
+		})
 		common.SuccessResp(c)
 	})
 	g.POST("/clear_succeeded", func(c *gin.Context) {
-		manager.RemoveByState(tache.StateSucceeded)
+		isAdmin, uid, ok := getUserInfo(c)
+		if !ok {
+			// if there is no bug, here is unreachable
+			common.ErrorStrResp(c, "user invalid", 401)
+			return
+		}
+		manager.RemoveByCondition(func(task T) bool {
+			return (isAdmin || uid == task.GetCreator().ID) && task.GetState() == tache.StateSucceeded
+		})
 		common.SuccessResp(c)
 	})
 	g.POST("/retry_failed", func(c *gin.Context) {
-		manager.RetryAllFailed()
+		isAdmin, uid, ok := getUserInfo(c)
+		if !ok {
+			// if there is no bug, here is unreachable
+			common.ErrorStrResp(c, "user invalid", 401)
+			return
+		}
+		tasks := manager.GetByCondition(func(task T) bool {
+			return (isAdmin || uid == task.GetCreator().ID) && task.GetState() == tache.StateFailed
+		})
+		for _, t := range tasks {
+			manager.Retry(t.GetID())
+		}
 		common.SuccessResp(c)
 	})
 }

server/middlewares/auth.go

@@ -127,6 +127,16 @@ func Authn(c *gin.Context) {
 	c.Next()
 }
 
+func AuthNotGuest(c *gin.Context) {
+	user := c.MustGet("user").(*model.User)
+	if user.IsGuest() {
+		common.ErrorStrResp(c, "You are a guest", 403)
+		c.Abort()
+	} else {
+		c.Next()
+	}
+}
+
 func AuthAdmin(c *gin.Context) {
 	user := c.MustGet("user").(*model.User)
 	if !user.IsAdmin() {

server/router.go

@@ -76,6 +76,7 @@ func Init(e *gin.Engine) {
 	public.Any("/offline_download_tools", handles.OfflineDownloadTools)
 
 	_fs(auth.Group("/fs"))
+	_task(auth.Group("/task", middlewares.AuthNotGuest))
 	admin(auth.Group("/admin", middlewares.AuthAdmin))
 	if flags.Debug || flags.Dev {
 		debug(g.Group("/debug"))
@@ -127,8 +128,8 @@ func admin(g *gin.RouterGroup) {
 	setting.POST("/set_qbit", handles.SetQbittorrent)
 	setting.POST("/set_transmission", handles.SetTransmission)
 
-	task := g.Group("/task")
-	handles.SetupTaskRoute(task)
+	// retain /admin/task API to ensure compatibility with legacy automation scripts
+	_task(g.Group("/task"))
 
 	ms := g.Group("/message")
 	ms.POST("/get", message.HttpInstance.GetHandle)
@@ -166,6 +167,10 @@ func _fs(g *gin.RouterGroup) {
 	g.POST("/add_offline_download", handles.AddOfflineDownload)
 }
 
+func _task(g *gin.RouterGroup) {
+	handles.SetupTaskRoute(g)
+}
+
 func Cors(r *gin.Engine) {
 	config := cors.DefaultConfig()
 	// config.AllowAllOrigins = true