fix: check password while upload (close #2444)

2022-11-22 16:14:01 +08:00
parent c09800790b
commit 85e1350af8
6 changed files with 81 additions and 63 deletions
--- a/server/middlewares/fsup.go
+++ b/server/middlewares/fsup.go
@ -0,0 +1,40 @@
+package middlewares
+
+import (
+	"net/url"
+	stdpath "path"
+
+	"github.com/alist-org/alist/v3/internal/db"
+	"github.com/alist-org/alist/v3/internal/errs"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/server/common"
+	"github.com/gin-gonic/gin"
+	"github.com/pkg/errors"
+)
+
+func FsUp(c *gin.Context) {
+	path := c.GetHeader("File-Path")
+	password := c.GetHeader("Password")
+	path, err := url.PathUnescape(path)
+	if err != nil {
+		common.ErrorResp(c, err, 400)
+		c.Abort()
+		return
+	}
+	user := c.MustGet("user").(*model.User)
+	path = stdpath.Join(user.BasePath, path)
+	meta, err := db.GetNearestMeta(stdpath.Dir(path))
+	if err != nil {
+		if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
+			common.ErrorResp(c, err, 500, true)
+			c.Abort()
+			return
+		}
+	}
+	if !(common.CanAccess(user, meta, path, password) && (user.CanWrite() || common.CanWrite(meta, path))) {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		c.Abort()
+		return
+	}
+	c.Next()
+}